├── Chapter01 ├── 1.3.2 mysql-deploy.yaml ├── 1.3.2 mysql-svc.yaml ├── 1.3.3 myweb-deploy.yaml ├── 1.3.3 myweb-svc.yaml ├── 1.4.2 busybox-pod.yaml ├── 1.4.3 hpa.yaml ├── 1.4.3 myweb-pod.yaml ├── 1.4.3 tomcat-deployment.yaml ├── 1.4.3 tomcat-service-multiple-ports.yaml ├── 1.4.3 tomcat-service-nodeport.yaml ├── 1.4.3 tomcat-service.yaml ├── 1.4.4 pvc.yaml ├── 1.4.4 storageclass.yaml ├── 1.4.5 role.yaml └── 1.4.5 rolebinding.yaml ├── Chapter02 ├── 2.2.1 kubernetes.repo.yaml ├── 2.2.4 kubeadm init.sh ├── 2.2.5 kubeadm join.sh ├── 2.3.3 etcd-HA-cluaster-configs.txt ├── 2.3.4 kubernetes-HA-cluster-configs.txt ├── 2.3.5 kubernetes-node-configs.txt └── 2.5.2 kubeadm upgrade.sh ├── Chapter03 ├── 3.10 nginx-init-containers.yaml ├── 3.11 deployment-update-rollback.yaml ├── 3.12.1 deployment-scale.yaml ├── 3.12.2 hpa.yaml ├── 3.13 statefulset-mongodb-cluster.yaml ├── 3.2 frontend-localredis-pod.yaml ├── 3.2 frontend-pod.yaml ├── 3.3 static-web.yaml ├── 3.4 pod-volume-applogs.yaml ├── 3.5.2 cm-appconfigfiles.yaml ├── 3.5.2 cm-appvars.yaml ├── 3.5.3 cm-test-pod-envfrom.yaml ├── 3.5.3 cm-test-pod-use-envvar.yaml ├── 3.5.3 cm-test-pod-volume-items.yaml ├── 3.5.3 cm-test-pod-volume-mount-dir.yaml ├── 3.6.1 dapi-envars-container.yaml ├── 3.6.1 dapi-envars-pod.yaml ├── 3.6.2 dapi-volume-resources.yaml ├── 3.6.2 dapi-volume.yaml ├── 3.8 pod-livenessprobe.yaml ├── 3.9.1 nginx-deployment.yaml ├── 3.9.10 customized-scheduler.yaml ├── 3.9.2 redis-rc-nodeselector.yaml ├── 3.9.3 pod-nodeaffinity.yaml ├── 3.9.4 pod-podaffinity.yaml ├── 3.9.5 pod-taints-tolerations.yaml ├── 3.9.6 pod-priority.yaml ├── 3.9.7 daemonset.yaml ├── 3.9.8 job.yaml └── 3.9.9 cronjob.yaml ├── Chapter04 ├── 4.2 webapp-deploy-service.yaml ├── 4.2.2 service-sessionaffinity.yaml ├── 4.2.3 service-multiple-ports.yaml ├── 4.2.4 external-service.yaml ├── 4.2.5 pod-hostport.yaml ├── 4.2.5 service-expose-to-external.yaml ├── 4.2.6 service-AppProtocol.yaml ├── 4.2.8 nginx-headless-service.yaml ├── 4.2.9 service-topology.yaml ├── 4.3.2 coredns.yaml ├── 4.4 nodelocaldns.yaml ├── 4.4.1 pod-hostnetwork.yaml ├── 4.5.2 pod-customize-hostname-subdomain.yaml ├── 4.5.3 pod-dnspolicy.yaml ├── 4.5.4 pod-dnsconfig.yaml ├── 4.6.1 nginx-ingress-controller.yaml ├── 4.6.2 ingress-resource-samples.yaml ├── 4.6.3 ingress-config-sample.yaml └── 4.6.4 ingress-tls.yaml ├── Chapter06 ├── 6.2.3 rbac.yaml ├── 6.5 imagepullsecret.yaml ├── 6.5 secret.yaml ├── 6.6.1 podsecuritypolicy.yaml ├── 6.6.2 podsecuritypolicy-config.yaml ├── 6.6.3 podsecuritypolicy-examples.yaml ├── 6.6.4 podsecuritypolicy-rbac.yaml └── 6.6.5 pod-securitycontext.yaml ├── Chapter07 ├── 7.5 pod-service-network.yaml ├── 7.6.2 cni-plugin-examples.json ├── 7.7.4 cni-calico.yaml ├── 7.8.1 networkpolicy.yaml ├── 7.8.3 default-networkpolicy-in-namespace.yaml ├── 7.8.4 networkpolicy-samples.yaml ├── 7.9.1 calico-ipv4-ipv6-dual-stack.yaml ├── 7.9.2 pod-ip-dual-stack.yaml └── 7.9.3 service-ip-dual-stack.yaml ├── Chapter08 ├── 8.1.1 inject-volume-into-pod.yaml ├── 8.1.2 node-volume.yaml ├── 8.2.2 pv.yaml ├── 8.2.3 pvc.yaml ├── 8.2.4 pod-use-pvc.yaml ├── 8.2.5 storage-class.yaml ├── 8.3 glusterfs-practice.yaml ├── 8.4.3 csi.yaml └── 8.4.4 csi-volumesnapshot.yaml ├── Chapter09 ├── 9.4.1 customresourcedefinition.yaml └── 9.4.2 apiaggregation-apiservice.yaml ├── Chapter10 ├── 10.1.1 unschedule-node.yaml ├── 10.10 dashboard.yaml ├── 10.11 helm.txt ├── 10.3.1 namespace.yaml ├── 10.3.3 context.yaml ├── 10.4.1 pod-resources-setting.yaml ├── 10.4.2 limitrange.yaml ├── 10.4.4 resourcequota.yaml ├── 10.4.5 limitrange-resourcequota-practice.yaml ├── 10.4.6 share-process-namespace.yaml ├── 10.6 poddisruptionbudget.yaml ├── 10.7.1 metrics-server.yaml ├── 10.7.2 prometheus-grafana.yaml ├── 10.8.2 elasticsearch-fluentd-kibana.yml ├── 10.8.3 sidecar-log-collector.yml └── 10.9 audit-policy.yaml ├── Chapter12 ├── 12.1.1 windows-container.yaml ├── 12.2.1 gpu.yaml ├── 12.2.2 pod-use-gpu.yaml └── 12.3.1 verticalpodautoscaler.yaml └── README.md /Chapter01/1.3.2 mysql-deploy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | labels: 5 | app: mysql 6 | name: mysql 7 | spec: 8 | replicas: 1 9 | selector: 10 | matchLabels: 11 | app: mysql 12 | template: 13 | metadata: 14 | labels: 15 | app: mysql 16 | spec: 17 | containers: 18 | - image: mysql:5.7 19 | name: mysql 20 | ports: 21 | - containerPort: 3306 22 | env: 23 | - name: MYSQL_ROOT_PASSWORD 24 | value: "123456" 25 | -------------------------------------------------------------------------------- /Chapter01/1.3.2 mysql-svc.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: mysql 5 | spec: 6 | ports: 7 | - port: 3306 8 | selector: 9 | app: mysql 10 | -------------------------------------------------------------------------------- /Chapter01/1.3.3 myweb-deploy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | labels: 5 | app: myweb 6 | name: myweb 7 | spec: 8 | replicas: 2 9 | selector: 10 | matchLabels: 11 | app: myweb 12 | template: 13 | metadata: 14 | labels: 15 | app: myweb 16 | spec: 17 | containers: 18 | - image: kubeguide/tomcat-app:v1 19 | name: myweb 20 | ports: 21 | - containerPort: 8080 22 | env: 23 | - name: MYSQL_SERVICE_HOST 24 | value: 10.245.161.22 25 | -------------------------------------------------------------------------------- /Chapter01/1.3.3 myweb-svc.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: myweb 5 | spec: 6 | type: NodePort 7 | ports: 8 | - port: 8080 9 | nodePort: 30001 10 | selector: 11 | app: myweb 12 | 13 | -------------------------------------------------------------------------------- /Chapter01/1.4.2 busybox-pod.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: busybox 5 | namespace: development 6 | spec: 7 | containers: 8 | - image: busybox 9 | command: 10 | - sleep 11 | - "3600" 12 | name: busybox 13 | -------------------------------------------------------------------------------- /Chapter01/1.4.3 hpa.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: autoscaling/v1 2 | kind: HorizontalPodAutoscaler 3 | metadata: 4 | name: php-apache 5 | namespace: default 6 | spec: 7 | maxReplicas: 10 8 | minReplicas: 1 9 | scaleTargetRef: 10 | kind: Deployment 11 | name: php-apache 12 | targetCPUUtilizationPercentage: 90 13 | -------------------------------------------------------------------------------- /Chapter01/1.4.3 myweb-pod.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: myweb 5 | labels: 6 | name: myweb 7 | spec: 8 | containers: 9 | - name: myweb 10 | image: kubeguide/tomcat-app:v1 11 | ports: 12 | - containerPort: 8080 13 | -------------------------------------------------------------------------------- /Chapter01/1.4.3 tomcat-deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: tomcat-deploy 5 | spec: 6 | replicas: 1 7 | selector: 8 | matchLabels: 9 | tier: frontend 10 | matchExpressions: 11 | - {key: tier, operator: In, values: [frontend]} 12 | template: 13 | metadata: 14 | labels: 15 | app: app-demo 16 | tier: frontend 17 | spec: 18 | containers: 19 | - name: tomcat-demo 20 | image: tomcat 21 | imagePullPolicy: IfNotPresent 22 | ports: 23 | - containerPort: 8080 24 | -------------------------------------------------------------------------------- /Chapter01/1.4.3 tomcat-service-multiple-ports.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: tomcat-service 5 | spec: 6 | ports: 7 | - port: 8080 8 | name: service-port 9 | - port: 8005 10 | name: shutdown-port 11 | selector: 12 | tier: frontend 13 | -------------------------------------------------------------------------------- /Chapter01/1.4.3 tomcat-service-nodeport.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: tomcat-service 5 | spec: 6 | type: NodePort 7 | ports: 8 | - port: 8080 9 | nodePort: 31002 10 | selector: 11 | tier: frontend 12 | -------------------------------------------------------------------------------- /Chapter01/1.4.3 tomcat-service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: tomcat-service 5 | spec: 6 | ports: 7 | - port: 8080 8 | selector: 9 | tier: frontend 10 | -------------------------------------------------------------------------------- /Chapter01/1.4.4 pvc.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: PersistentVolumeClaim 3 | metadata: 4 | name: claim1 5 | spec: 6 | accessModes: 7 | - ReadWriteOnce 8 | storageClassName: standard 9 | resources: 10 | requests: 11 | storage: 30Gi 12 | -------------------------------------------------------------------------------- /Chapter01/1.4.4 storageclass.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: storage.k8s.io/v1 2 | kind: StorageClass 3 | metadata: 4 | name: standard 5 | provisioner: kubernetes.io/aws-ebs 6 | parameters: 7 | type: gp2 8 | reclaimPolicy: Retain 9 | allowVolumeExpansion: true 10 | mountOptions: 11 | - debug 12 | volumeBindingMode: Immediate 13 | -------------------------------------------------------------------------------- /Chapter01/1.4.5 role.yaml: -------------------------------------------------------------------------------- 1 | kind: Role 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | metadata: 4 | namespace: default 5 | name: pod-reader 6 | rules: 7 | - apiGroups: [""] 8 | resources: ["pods"] 9 | verbs: ["get", "watch", "list"] 10 | -------------------------------------------------------------------------------- /Chapter01/1.4.5 rolebinding.yaml: -------------------------------------------------------------------------------- 1 | kind: RoleBinding 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | metadata: 4 | name: read-pods 5 | namespace: default 6 | subjects: 7 | - kind: User 8 | name: Caden 9 | apiGroup: rbac.authorization.k8s.io 10 | roleRef: 11 | kind: Role 12 | name: pod-reader 13 | apiGroup: rbac.authorization.k8s.io 14 | -------------------------------------------------------------------------------- /Chapter02/2.2.1 kubernetes.repo.yaml: -------------------------------------------------------------------------------- 1 | [kubernetes] 2 | name=Kubernetes Repository 3 | name=Kubernetes 4 | baseurl=https://packages.cloud.google.com/yum/repos/kubernetes-el7-\$basearch 5 | enabled=1 6 | gpgcheck=1 7 | repo_gpgcheck=1 8 | gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg 9 | exclude=kubelet kubeadm kubectl 10 | -------------------------------------------------------------------------------- /Chapter02/2.2.4 kubeadm init.sh: -------------------------------------------------------------------------------- 1 | kubeadm init --config=init-config.yaml 2 | 3 | mkdir -p $HOME/.kube 4 | sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config 5 | sudo chown $(id -u):$(id -g) $HOME/.kube/config 6 | 7 | export KUBECONFIG=/etc/kubernetes/admin.conf 8 | 9 | kubectl -n kube-system get configmap 10 | -------------------------------------------------------------------------------- /Chapter02/2.2.5 kubeadm join.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubeguide/K8sDefinitiveGuide-V5-Sourcecode/499b07cafe313cd761a81f59c85cb9641250cf73/Chapter02/2.2.5 kubeadm join.sh -------------------------------------------------------------------------------- /Chapter02/2.3.3 etcd-HA-cluaster-configs.txt: -------------------------------------------------------------------------------- 1 | # /usr/lib/systemd/system/etcd.service 2 | [Unit] 3 | Description=etcd key-value store 4 | Documentation=https://github.com/etcd-io/etcd 5 | After=network.target 6 | 7 | [Service] 8 | EnvironmentFile=/etc/etcd/etcd.conf 9 | ExecStart=/usr/bin/etcd 10 | Restart=always 11 | 12 | [Install] 13 | WantedBy=multi-user.target 14 | 15 | 16 | 17 | # etcd_ssl.cnf 18 | [ req ] 19 | req_extensions = v3_req 20 | distinguished_name = req_distinguished_name 21 | 22 | [ req_distinguished_name ] 23 | 24 | [ v3_req ] 25 | basicConstraints = CA:FALSE 26 | keyUsage = nonRepudiation, digitalSignature, keyEncipherment 27 | subjectAltName = @alt_names 28 | 29 | [ alt_names ] 30 | IP.1 = 192.168.18.3 31 | IP.2 = 192.168.18.4 32 | IP.3 = 192.168.18.5 33 | 34 | 35 | 36 | 37 | openssl genrsa -out etcd_server.key 2048 38 | 39 | openssl req -new -key etcd_server.key -config etcd_ssl.cnf -subj "/CN=etcd-server" -out etcd_server.csr 40 | 41 | openssl x509 -req -in etcd_server.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -days 36500 -extensions v3_req -extfile etcd_ssl.cnf -out etcd_server.crt 42 | 43 | 44 | 45 | 46 | # /etc/etcd/etcd.conf - node 1 47 | ETCD_NAME=etcd1 48 | ETCD_DATA_DIR=/etc/etcd/data 49 | 50 | ETCD_CERT_FILE=/etc/etcd/pki/etcd_server.crt 51 | ETCD_KEY_FILE=/etc/etcd/pki/etcd_server.key 52 | ETCD_TRUSTED_CA_FILE=/etc/kubernetes/pki/ca.crt 53 | ETCD_CLIENT_CERT_AUTH=true 54 | ETCD_LISTEN_CLIENT_URLS=https://192.168.18.3:2379 55 | ETCD_ADVERTISE_CLIENT_URLS=https://192.168.18.3:2379 56 | 57 | ETCD_PEER_CERT_FILE=/etc/etcd/pki/etcd_server.crt 58 | ETCD_PEER_KEY_FILE=/etc/etcd/pki/etcd_server.key 59 | ETCD_PEER_TRUSTED_CA_FILE=/etc/kubernetes/pki/ca.crt 60 | ETCD_LISTEN_PEER_URLS=https://192.168.18.3:2380 61 | ETCD_INITIAL_ADVERTISE_PEER_URLS=https://192.168.18.3:2380 62 | 63 | ETCD_INITIAL_CLUSTER_TOKEN=etcd-cluster 64 | ETCD_INITIAL_CLUSTER="etcd1=https://192.168.18.3:2380,etcd2=https://192.168.18.4:2380,etcd3=https://192.168.18.5:2380" 65 | ETCD_INITIAL_CLUSTER_STATE=new 66 | 67 | 68 | # /etc/etcd/etcd.conf - node 2 69 | ETCD_NAME=etcd2 70 | ETCD_DATA_DIR=/etc/etcd/data 71 | 72 | ETCD_CERT_FILE=/etc/etcd/pki/etcd_server.crt 73 | ETCD_KEY_FILE=/etc/etcd/pki/etcd_server.key 74 | ETCD_TRUSTED_CA_FILE=/etc/kubernetes/pki/ca.crt 75 | ETCD_CLIENT_CERT_AUTH=true 76 | ETCD_LISTEN_CLIENT_URLS=https://192.168.18.4:2379 77 | ETCD_ADVERTISE_CLIENT_URLS=https://192.168.18.4:2379 78 | 79 | ETCD_PEER_CERT_FILE=/etc/etcd/pki/etcd_server.crt 80 | ETCD_PEER_KEY_FILE=/etc/etcd/pki/etcd_server.key 81 | ETCD_PEER_TRUSTED_CA_FILE=/etc/kubernetes/pki/ca.crt 82 | ETCD_LISTEN_PEER_URLS=https://192.168.18.4:2380 83 | ETCD_INITIAL_ADVERTISE_PEER_URLS=https://192.168.18.4:2380 84 | 85 | ETCD_INITIAL_CLUSTER_TOKEN=etcd-cluster 86 | ETCD_INITIAL_CLUSTER="etcd1=https://192.168.18.3:2380,etcd2=https://192.168.18.4:2380,etcd3=https://192.168.18.5:2380" 87 | ETCD_INITIAL_CLUSTER_STATE=new 88 | 89 | 90 | # /etc/etcd/etcd.conf - node 3 91 | ETCD_NAME=etcd3 92 | ETCD_DATA_DIR=/etc/etcd/data 93 | 94 | ETCD_CERT_FILE=/etc/etcd/pki/etcd_server.crt 95 | ETCD_KEY_FILE=/etc/etcd/pki/etcd_server.key 96 | ETCD_TRUSTED_CA_FILE=/etc/kubernetes/pki/ca.crt 97 | ETCD_CLIENT_CERT_AUTH=true 98 | ETCD_LISTEN_CLIENT_URLS=https://192.168.18.5:2379 99 | ETCD_ADVERTISE_CLIENT_URLS=https://192.168.18.5:2379 100 | 101 | ETCD_PEER_CERT_FILE=/etc/etcd/pki/etcd_server.crt 102 | ETCD_PEER_KEY_FILE=/etc/etcd/pki/etcd_server.key 103 | ETCD_PEER_TRUSTED_CA_FILE=/etc/kubernetes/pki/ca.crt 104 | ETCD_LISTEN_PEER_URLS=https://192.168.18.5:2380 105 | ETCD_INITIAL_ADVERTISE_PEER_URLS=https://192.168.18.5:2380 106 | 107 | ETCD_INITIAL_CLUSTER_TOKEN=etcd-cluster 108 | ETCD_INITIAL_CLUSTER="etcd1=https://192.168.18.3:2380,etcd2=https://192.168.18.4:2380,etcd3=https://192.168.18.5:2380" 109 | ETCD_INITIAL_CLUSTER_STATE=new 110 | 111 | 112 | 113 | 114 | systemctl restart etcd && systemctl enable etcd 115 | 116 | etcdctl --cacert=/etc/kubernetes/pki/ca.crt --cert=/etc/etcd/pki/etcd_client.crt --key=/etc/etcd/pki/etcd_client.key --endpoints=https://192.168.18.3:2379,https://192.168.18.4:2379,https://192.168.18.5:2379 endpoint health 117 | -------------------------------------------------------------------------------- /Chapter02/2.3.4 kubernetes-HA-cluster-configs.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubeguide/K8sDefinitiveGuide-V5-Sourcecode/499b07cafe313cd761a81f59c85cb9641250cf73/Chapter02/2.3.4 kubernetes-HA-cluster-configs.txt -------------------------------------------------------------------------------- /Chapter02/2.3.5 kubernetes-node-configs.txt: -------------------------------------------------------------------------------- 1 | # /usr/lib/systemd/system/kubelet.service 2 | [Unit] 3 | Description=Kubernetes Kubelet Server 4 | Documentation=https://github.com/kubernetes/kubernetes 5 | After=docker.target 6 | 7 | [Service] 8 | EnvironmentFile=/etc/kubernetes/kubelet 9 | ExecStart=/usr/bin/kubelet $KUBELET_ARGS 10 | Restart=always 11 | 12 | [Install] 13 | WantedBy=multi-user.target 14 | 15 | 16 | # /etc/kubernetes/kubelet 17 | KUBELET_ARGS="--kubeconfig=/etc/kubernetes/kubeconfig --config=/etc/kubernetes/kubelet.config \ 18 | --hostname-override=192.168.18.3 \ 19 | --network-plugin=cni \ 20 | --logtostderr=false --log-dir=/var/log/kubernetes --v=0" 21 | 22 | 23 | # /etc/kubernetes/kubelet.config 24 | kind: KubeletConfiguration 25 | apiVersion: kubelet.config.k8s.io/v1beta1 26 | address: 0.0.0.0 27 | port: 10250 28 | cgroupDriver: cgroupfs 29 | clusterDNS: ["169.169.0.100"] 30 | clusterDomain: cluster.local 31 | authentication: 32 | anonymous: 33 | enabled: true 34 | 35 | 36 | systemctl start kubelet && systemctl enable kubelet 37 | 38 | 39 | 40 | 41 | 42 | # /usr/lib/systemd/system/kube-proxy.service 43 | [Unit] 44 | Description=Kubernetes Kube-Proxy Server 45 | Documentation=https://github.com/kubernetes/kubernetes 46 | After=network.target 47 | 48 | [Service] 49 | EnvironmentFile=/etc/kubernetes/proxy 50 | ExecStart=/usr/bin/kube-proxy $KUBE_PROXY_ARGS 51 | Restart=always 52 | 53 | [Install] 54 | WantedBy=multi-user.target 55 | 56 | 57 | 58 | # /etc/kubernetes/proxy 59 | KUBE_PROXY_ARGS="--kubeconfig=/etc/kubernetes/kubeconfig \ 60 | --hostname-override=192.168.18.3 \ 61 | --proxy-mode=iptables \ 62 | --logtostderr=false --log-dir=/var/log/kubernetes --v=0" 63 | 64 | 65 | systemctl start kube-proxy && systemctl enable kube-proxy 66 | -------------------------------------------------------------------------------- /Chapter02/2.5.2 kubeadm upgrade.sh: -------------------------------------------------------------------------------- 1 | yum install -y kubeadm-1.14.0 --disableexcludes=kubernetes 2 | 3 | kubeadm upgrade plan 4 | 5 | kubeadm upgrade apply 1.14.0 6 | 7 | kubeadm upgrade node config --kubelet-version 1.14.0 8 | -------------------------------------------------------------------------------- /Chapter03/3.10 nginx-init-containers.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: nginx 5 | annotations: 6 | spec: 7 | initContainers: 8 | - name: install 9 | image: busybox 10 | command: 11 | - wget 12 | - "-O" 13 | - "/work-dir/index.html" 14 | - http://kubernetes.io 15 | volumeMounts: 16 | - name: workdir 17 | mountPath: "/work-dir" 18 | containers: 19 | - name: nginx 20 | image: nginx 21 | ports: 22 | - containerPort: 80 23 | volumeMounts: 24 | - name: workdir 25 | mountPath: /usr/share/nginx/html 26 | dnsPolicy: Default 27 | volumes: 28 | - name: workdir 29 | emptyDir: {} 30 | -------------------------------------------------------------------------------- /Chapter03/3.11 deployment-update-rollback.yaml: -------------------------------------------------------------------------------- 1 | # nginx-deployment.yaml 2 | --- 3 | apiVersion: apps/v1 4 | kind: Deployment 5 | metadata: 6 | name: nginx-deployment 7 | spec: 8 | selector: 9 | matchLabels: 10 | app: nginx 11 | replicas: 3 12 | template: 13 | metadata: 14 | labels: 15 | app: nginx 16 | spec: 17 | containers: 18 | - name: nginx 19 | image: nginx:1.7.9 20 | ports: 21 | - containerPort: 80 22 | 23 | 24 | 25 | 26 | # update 27 | kubectl set image deployment/nginx-deployment nginx=nginx:1.9.1 28 | 29 | kubectl edit deployment/nginx-deployment 30 | 31 | 32 | # rollback 33 | kubectl rollout history deployment/nginx-deployment 34 | kubectl rollout history deployment/nginx-deployment --revision=3 35 | kubectl rollout undo deployment/nginx-deployment 36 | kubectl rollout undo deployment/nginx-deployment --to-revision=2 37 | 38 | 39 | # pause and resume 40 | kubectl rollout pause deployment/nginx-deployment 41 | kubectl set image deploy/nginx-deployment nginx=nginx:1.9.1 42 | kubectl rollout history deploy/nginx-deployment 43 | kubectl set resources deployment nginx-deployment -c=nginx --limits=cpu=200m,memory=512Mi 44 | kubectl rollout resume deploy nginx-deployment 45 | -------------------------------------------------------------------------------- /Chapter03/3.12.1 deployment-scale.yaml: -------------------------------------------------------------------------------- 1 | # nginx-deployment.yaml 2 | --- 3 | apiVersion: apps/v1 4 | kind: Deployment 5 | metadata: 6 | name: nginx-deployment 7 | spec: 8 | selector: 9 | matchLabels: 10 | app: nginx 11 | replicas: 3 12 | selector: 13 | matchLabels: 14 | app: nginx 15 | template: 16 | metadata: 17 | labels: 18 | app: nginx 19 | spec: 20 | containers: 21 | - name: nginx 22 | image: nginx:1.7.9 23 | ports: 24 | - containerPort: 80 25 | 26 | 27 | 28 | 29 | kubectl scale deployment nginx-deployment --replicas 5 30 | 31 | kubectl scale deployment nginx-deployment --replicas=1 32 | -------------------------------------------------------------------------------- /Chapter03/3.12.2 hpa.yaml: -------------------------------------------------------------------------------- 1 | # autoscaling/v1 2 | --- 3 | apiVersion: autoscaling/v1 4 | kind: HorizontalPodAutoscaler 5 | metadata: 6 | name: php-apache 7 | spec: 8 | scaleTargetRef: 9 | apiVersion: apps/v1 10 | kind: Deployment 11 | name: php-apache 12 | minReplicas: 1 13 | maxReplicas: 10 14 | targetCPUUtilizationPercentage: 50 15 | 16 | 17 | # autoscaling/v2beta2 18 | --- 19 | apiVersion: autoscaling/v2beta2 20 | kind: HorizontalPodAutoscaler 21 | metadata: 22 | name: php-apache 23 | spec: 24 | scaleTargetRef: 25 | apiVersion: apps/v1 26 | kind: Deployment 27 | name: php-apache 28 | minReplicas: 1 29 | maxReplicas: 10 30 | metrics: 31 | - type: Resource 32 | resource: 33 | name: cpu 34 | target: 35 | type: Utilization 36 | averageUtilization: 50 37 | 38 | --- 39 | apiVersion: autoscaling/v2beta1 40 | kind: HorizontalPodAutoscaler 41 | metadata: 42 | name: php-apache 43 | namespace: default 44 | spec: 45 | scaleTargetRef: 46 | apiVersion: apps/v1 47 | kind: Deployment 48 | name: php-apache 49 | minReplicas: 1 50 | maxReplicas: 10 51 | metrics: 52 | - type: Resource 53 | resource: 54 | name: cpu 55 | target: 56 | type: AverageUtilization 57 | averageUtilization: 50 58 | - type: Pods 59 | pods: 60 | metric: 61 | name: packets-per-second 62 | targetAverageValue: 1k 63 | - type: Object 64 | object: 65 | metric: 66 | name: requests-per-second 67 | describedObject: 68 | apiVersion: extensions/v1beta1 69 | kind: Ingress 70 | name: main-route 71 | target: 72 | kind: Value 73 | value: 10k 74 | 75 | 76 | 77 | 78 | 79 | # prometheus-operator 80 | --- 81 | apiVersion: apps/v1 82 | kind: Deployment 83 | metadata: 84 | labels: 85 | k8s-app: prometheus-operator 86 | name: prometheus-operator 87 | spec: 88 | replicas: 1 89 | selector: 90 | matchLabels: 91 | k8s-app: prometheus-operator 92 | template: 93 | metadata: 94 | labels: 95 | k8s-app: prometheus-operator 96 | spec: 97 | containers: 98 | - image: quay.io/coreos/prometheus-operator:v0.17.0 99 | imagePullPolicy: IfNotPresent 100 | name: prometheus-operator 101 | ports: 102 | - containerPort: 8080 103 | name: http 104 | resources: 105 | limits: 106 | cpu: 200m 107 | memory: 100Mi 108 | requests: 109 | cpu: 100m 110 | memory: 50Mi 111 | 112 | # prometheus.yaml 113 | --- 114 | apiVersion: monitoring.coreos.com/v1 115 | kind: Prometheus 116 | metadata: 117 | name: prometheus 118 | labels: 119 | app: prometheus 120 | prometheus: prometheus 121 | spec: 122 | replicas: 1 123 | baseImage: prom/prometheus 124 | version: v2.8.0 125 | serviceMonitorSelector: 126 | matchLabels: 127 | service-monitor: function 128 | resources: 129 | requests: 130 | memory: 300Mi 131 | 132 | --- 133 | apiVersion: v1 134 | kind: Service 135 | metadata: 136 | name: prometheus 137 | labels: 138 | app: prometheus 139 | prometheus: prometheus 140 | spec: 141 | selector: 142 | prometheus: prometheus 143 | ports: 144 | - name: http 145 | port: 9090 146 | 147 | 148 | 149 | # custom-metrics-server 150 | --- 151 | kind: Namespace 152 | apiVersion: v1 153 | metadata: 154 | name: custom-metrics 155 | 156 | --- 157 | apiVersion: v1 158 | kind: ConfigMap 159 | metadata: 160 | name: adapter-config 161 | namespace: custom-metrics 162 | data: 163 | config.yaml: | 164 | rules: 165 | - seriesQuery: '{__name__=~"^container_.*",container_name!="POD",namespace!="",pod_name!=""}' 166 | seriesFilters: [] 167 | resources: 168 | overrides: 169 | namespace: 170 | resource: namespace 171 | pod_name: 172 | resource: pod 173 | name: 174 | matches: ^container_(.*)_seconds_total$ 175 | as: "" 176 | metricsQuery: sum(rate(<<.Series>>{<<.LabelMatchers>>,container_name!="POD"}[1m])) by (<<.GroupBy>>) 177 | - seriesQuery: '{__name__=~"^container_.*",container_name!="POD",namespace!="",pod_name!=""}' 178 | seriesFilters: 179 | - isNot: ^container_.*_seconds_total$ 180 | resources: 181 | overrides: 182 | namespace: 183 | resource: namespace 184 | pod_name: 185 | resource: pod 186 | name: 187 | matches: ^container_(.*)_total$ 188 | as: "" 189 | metricsQuery: sum(rate(<<.Series>>{<<.LabelMatchers>>,container_name!="POD"}[1m])) by (<<.GroupBy>>) 190 | - seriesQuery: '{__name__=~"^container_.*",container_name!="POD",namespace!="",pod_name!=""}' 191 | seriesFilters: 192 | - isNot: ^container_.*_total$ 193 | resources: 194 | overrides: 195 | namespace: 196 | resource: namespace 197 | pod_name: 198 | resource: pod 199 | name: 200 | matches: ^container_(.*)$ 201 | as: "" 202 | metricsQuery: sum(<<.Series>>{<<.LabelMatchers>>,container_name!="POD"}) by (<<.GroupBy>>) 203 | - seriesQuery: '{namespace!="",__name__!~"^container_.*"}' 204 | seriesFilters: 205 | - isNot: .*_total$ 206 | resources: 207 | template: <<.Resource>> 208 | name: 209 | matches: "" 210 | as: "" 211 | metricsQuery: sum(<<.Series>>{<<.LabelMatchers>>}) by (<<.GroupBy>>) 212 | - seriesQuery: '{namespace!="",__name__!~"^container_.*"}' 213 | seriesFilters: 214 | - isNot: .*_seconds_total 215 | resources: 216 | template: <<.Resource>> 217 | name: 218 | matches: ^(.*)_total$ 219 | as: "" 220 | metricsQuery: sum(rate(<<.Series>>{<<.LabelMatchers>>}[1m])) by (<<.GroupBy>>) 221 | - seriesQuery: '{namespace!="",__name__!~"^container_.*"}' 222 | seriesFilters: [] 223 | resources: 224 | template: <<.Resource>> 225 | name: 226 | matches: ^(.*)_seconds_total$ 227 | as: "" 228 | metricsQuery: sum(rate(<<.Series>>{<<.LabelMatchers>>}[1m])) by (<<.GroupBy>>) 229 | resourceRules: 230 | cpu: 231 | containerQuery: sum(rate(container_cpu_usage_seconds_total{<<.LabelMatchers>>}[1m])) by (<<.GroupBy>>) 232 | nodeQuery: sum(rate(container_cpu_usage_seconds_total{<<.LabelMatchers>>, id='/'}[1m])) by (<<.GroupBy>>) 233 | resources: 234 | overrides: 235 | instance: 236 | resource: node 237 | namespace: 238 | resource: namespace 239 | pod_name: 240 | resource: pod 241 | containerLabel: container_name 242 | memory: 243 | containerQuery: sum(container_memory_working_set_bytes{<<.LabelMatchers>>}) by (<<.GroupBy>>) 244 | nodeQuery: sum(container_memory_working_set_bytes{<<.LabelMatchers>>,id='/'}) by (<<.GroupBy>>) 245 | resources: 246 | overrides: 247 | instance: 248 | resource: node 249 | namespace: 250 | resource: namespace 251 | pod_name: 252 | resource: pod 253 | containerLabel: container_name 254 | window: 1m 255 | 256 | --- 257 | apiVersion: apps/v1 258 | kind: Deployment 259 | metadata: 260 | name: custom-metrics-server 261 | namespace: custom-metrics 262 | labels: 263 | app: custom-metrics-server 264 | spec: 265 | replicas: 1 266 | selector: 267 | matchLabels: 268 | app: custom-metrics-server 269 | template: 270 | metadata: 271 | name: custom-metrics-server 272 | labels: 273 | app: custom-metrics-server 274 | spec: 275 | containers: 276 | - name: custom-metrics-server 277 | image: directxman12/k8s-prometheus-adapter-amd64 278 | imagePullPolicy: IfNotPresent 279 | args: 280 | - --prometheus-url=http://prometheus.default.svc:9090/ 281 | - --metrics-relist-interval=30s 282 | - --v=10 283 | - --config=/etc/adapter/config.yaml 284 | - --logtostderr=true 285 | ports: 286 | - containerPort: 443 287 | securityContext: 288 | runAsUser: 0 289 | volumeMounts: 290 | - mountPath: /etc/adapter/ 291 | name: config 292 | readOnly: true 293 | volumes: 294 | - name: config 295 | configMap: 296 | name: adapter-config 297 | 298 | --- 299 | apiVersion: v1 300 | kind: Service 301 | metadata: 302 | name: custom-metrics-server 303 | namespace: custom-metrics 304 | spec: 305 | ports: 306 | - port: 443 307 | targetPort: 443 308 | selector: 309 | app: custom-metrics-server 310 | 311 | 312 | 313 | # APIService 314 | --- 315 | apiVersion: apiregistration.k8s.io/v1beta1 316 | kind: APIService 317 | metadata: 318 | name: v1beta1.custom.metrics.k8s.io 319 | spec: 320 | service: 321 | name: custom-metrics-server 322 | namespace: custom-metrics 323 | group: custom.metrics.k8s.io 324 | version: v1beta1 325 | insecureSkipTLSVerify: true 326 | groupPriorityMinimum: 100 327 | versionPriority: 100 328 | 329 | 330 | 331 | 332 | # application 333 | --- 334 | apiVersion: apps/v1 335 | kind: Deployment 336 | metadata: 337 | name: sample-app 338 | labels: 339 | app: sample-app 340 | spec: 341 | replicas: 1 342 | selector: 343 | matchLabels: 344 | app: sample-app 345 | template: 346 | metadata: 347 | labels: 348 | app: sample-app 349 | spec: 350 | containers: 351 | - image: luxas/autoscale-demo:v0.1.2 352 | imagePullPolicy: IfNotPresent 353 | name: metrics-provider 354 | ports: 355 | - name: http 356 | containerPort: 8080 357 | 358 | --- 359 | apiVersion: v1 360 | kind: Service 361 | metadata: 362 | name: sample-app 363 | labels: 364 | app: sample-app 365 | spec: 366 | ports: 367 | - name: http 368 | port: 80 369 | targetPort: 8080 370 | selector: 371 | app: sample-app 372 | 373 | 374 | 375 | 376 | # ServiceMonitor 377 | --- 378 | apiVersion: monitoring.coreos.com/v1 379 | kind: ServiceMonitor 380 | metadata: 381 | name: sample-app 382 | labels: 383 | service-monitor: function 384 | spec: 385 | selector: 386 | matchLabels: 387 | app: sample-app 388 | endpoints: 389 | - port: http 390 | 391 | 392 | 393 | 394 | # hpa 395 | --- 396 | apiVersion: autoscaling/v2beta2 397 | kind: HorizontalPodAutoscaler 398 | metadata: 399 | name: sample-app 400 | spec: 401 | scaleTargetRef: 402 | apiVersion: apps/v1 403 | kind: Deployment 404 | name: sample-app 405 | minReplicas: 1 406 | maxReplicas: 10 407 | metrics: 408 | - type: Pods 409 | pods: 410 | metric: 411 | name: http_requests 412 | target: 413 | type: AverageValue 414 | averageValue: 500m 415 | -------------------------------------------------------------------------------- /Chapter03/3.13 statefulset-mongodb-cluster.yaml: -------------------------------------------------------------------------------- 1 | # storageclass-fast.yaml 2 | --- 3 | apiVersion: storage.k8s.io/v1 4 | kind: StorageClass 5 | metadata: 6 | name: fast 7 | provisioner: kubernetes.io/glusterfs 8 | parameters: 9 | resturl: "http://" 10 | 11 | 12 | 13 | # mongo-headless-service.yaml 14 | --- 15 | apiVersion: v1 16 | kind: Service 17 | metadata: 18 | name: mongo 19 | labels: 20 | name: mongo 21 | spec: 22 | ports: 23 | - port: 27017 24 | targetPort: 27017 25 | clusterIP: None 26 | selector: 27 | role: mongo 28 | 29 | 30 | 31 | # statefulset-mongo.yaml 32 | --- 33 | apiVersion: apps/v1 34 | kind: StatefulSet 35 | metadata: 36 | name: mongo 37 | spec: 38 | selector: 39 | matchLabels: 40 | role: mongo 41 | serviceName: "mongo" 42 | replicas: 3 43 | template: 44 | metadata: 45 | labels: 46 | role: mongo 47 | environment: test 48 | spec: 49 | terminationGracePeriodSeconds: 10 50 | containers: 51 | - name: mongo 52 | image: mongo:3.4.4 53 | command: 54 | - mongod 55 | - "--replSet" 56 | - rs0 57 | - "--smallfiles" 58 | - "--noprealloc" 59 | ports: 60 | - containerPort: 27017 61 | volumeMounts: 62 | - name: mongo-persistent-storage 63 | mountPath: /data/db 64 | - name: mongo-sidecar 65 | image: cvallance/mongo-k8s-sidecar 66 | env: 67 | - name: MONGO_SIDECAR_POD_LABELS 68 | value: "role=mongo,environment=test" 69 | - name: KUBERNETES_MONGO_SERVICE_NAME 70 | value: "mongo" 71 | volumeClaimTemplates: 72 | - metadata: 73 | name: mongo-persistent-storage 74 | annotations: 75 | volume.beta.kubernetes.io/storage-class: "fast" 76 | spec: 77 | accessModes: [ "ReadWriteOnce" ] 78 | resources: 79 | requests: 80 | storage: 100Gi 81 | -------------------------------------------------------------------------------- /Chapter03/3.2 frontend-localredis-pod.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: redis-php 5 | labels: 6 | name: redis-php 7 | spec: 8 | containers: 9 | - name: frontend 10 | image: kubeguide/guestbook-php-frontend:localredis 11 | ports: 12 | - containerPort: 80 13 | - name: redis 14 | image: kubeguide/redis-master 15 | ports: 16 | - containerPort: 6379 17 | -------------------------------------------------------------------------------- /Chapter03/3.2 frontend-pod.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: frontend 5 | labels: 6 | name: frontend 7 | spec: 8 | containers: 9 | - name: frontend 10 | image: kubeguide/guestbook-php-frontend 11 | env: 12 | - name: GET_HOSTS_FROM 13 | value: env 14 | ports: 15 | - containerPort: 80 16 | -------------------------------------------------------------------------------- /Chapter03/3.3 static-web.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: static-web 5 | labels: 6 | name: static-web 7 | spec: 8 | containers: 9 | - name: static-web 10 | image: nginx 11 | ports: 12 | - name: web 13 | containerPort: 80 14 | -------------------------------------------------------------------------------- /Chapter03/3.4 pod-volume-applogs.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: volume-pod 5 | spec: 6 | containers: 7 | - name: tomcat 8 | image: tomcat 9 | ports: 10 | - containerPort: 8080 11 | volumeMounts: 12 | - name: app-logs 13 | mountPath: /usr/local/tomcat/logs 14 | - name: busybox 15 | image: busybox 16 | command: ["sh", "-c", "tail -f /logs/catalina*.log"] 17 | volumeMounts: 18 | - name: app-logs 19 | mountPath: /logs 20 | volumes: 21 | - name: app-logs 22 | emptyDir: {} 23 | -------------------------------------------------------------------------------- /Chapter03/3.5.2 cm-appconfigfiles.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: cm-appconfigfiles 5 | data: 6 | key-serverxml: | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 20 | 21 | 22 | 23 | 26 | 27 | 28 | 29 | 31 | 32 | 34 | 37 | 38 | 39 | 40 | 41 | 42 | key-loggingproperties: "handlers 43 | = 1catalina.org.apache.juli.FileHandler, 2localhost.org.apache.juli.FileHandler, 44 | 3manager.org.apache.juli.FileHandler, 4host-manager.org.apache.juli.FileHandler, 45 | java.util.logging.ConsoleHandler\r\n\r\n.handlers = 1catalina.org.apache.juli.FileHandler, 46 | java.util.logging.ConsoleHandler\r\n\r\n1catalina.org.apache.juli.FileHandler.level 47 | = FINE\r\n1catalina.org.apache.juli.FileHandler.directory = ${catalina.base}/logs\r\n1catalina.org.apache.juli.FileHandler.prefix 48 | = catalina.\r\n\r\n2localhost.org.apache.juli.FileHandler.level = FINE\r\n2localhost.org.apache.juli.FileHandler.directory 49 | = ${catalina.base}/logs\r\n2localhost.org.apache.juli.FileHandler.prefix = localhost.\r\n\r\n3manager.org.apache.juli.FileHandler.level 50 | = FINE\r\n3manager.org.apache.juli.FileHandler.directory = ${catalina.base}/logs\r\n3manager.org.apache.juli.FileHandler.prefix 51 | = manager.\r\n\r\n4host-manager.org.apache.juli.FileHandler.level = FINE\r\n4host-manager.org.apache.juli.FileHandler.directory 52 | = ${catalina.base}/logs\r\n4host-manager.org.apache.juli.FileHandler.prefix = 53 | host-manager.\r\n\r\njava.util.logging.ConsoleHandler.level = FINE\r\njava.util.logging.ConsoleHandler.formatter 54 | = java.util.logging.SimpleFormatter\r\n\r\n\r\norg.apache.catalina.core.ContainerBase.[Catalina].[localhost].level 55 | = INFO\r\norg.apache.catalina.core.ContainerBase.[Catalina].[localhost].handlers 56 | = 2localhost.org.apache.juli.FileHandler\r\n\r\norg.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].level 57 | = INFO\r\norg.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].handlers 58 | = 3manager.org.apache.juli.FileHandler\r\n\r\norg.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager].level 59 | = INFO\r\norg.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager].handlers 60 | = 4host-manager.org.apache.juli.FileHandler\r\n\r\n" 61 | 62 | -------------------------------------------------------------------------------- /Chapter03/3.5.2 cm-appvars.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: cm-appvars 5 | data: 6 | apploglevel: info 7 | appdatadir: /var/data 8 | 9 | -------------------------------------------------------------------------------- /Chapter03/3.5.3 cm-test-pod-envfrom.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: cm-test-pod 5 | spec: 6 | containers: 7 | - name: cm-test 8 | image: busybox 9 | command: [ "/bin/sh", "-c", "env" ] 10 | envFrom: 11 | - configMapRef: 12 | name: cm-appvars 13 | restartPolicy: Never 14 | -------------------------------------------------------------------------------- /Chapter03/3.5.3 cm-test-pod-use-envvar.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: cm-test-pod 5 | spec: 6 | containers: 7 | - name: cm-test 8 | image: busybox 9 | command: [ "/bin/sh", "-c", "env | grep APP" ] 10 | env: 11 | - name: APPLOGLEVEL 12 | valueFrom: 13 | configMapKeyRef: 14 | name: cm-appvars 15 | key: apploglevel 16 | - name: APPDATADIR 17 | valueFrom: 18 | configMapKeyRef: 19 | name: cm-appvars 20 | key: appdatadir 21 | restartPolicy: Never 22 | -------------------------------------------------------------------------------- /Chapter03/3.5.3 cm-test-pod-volume-items.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: cm-test-app 5 | spec: 6 | containers: 7 | - name: cm-test-app 8 | image: kubeguide/tomcat-app:v1 9 | ports: 10 | - containerPort: 8080 11 | volumeMounts: 12 | - name: serverxml 13 | mountPath: /configfiles 14 | volumes: 15 | - name: serverxml 16 | configMap: 17 | name: cm-appconfigfiles 18 | items: 19 | - key: key-serverxml 20 | path: server.xml 21 | - key: key-loggingproperties 22 | path: logging.properties 23 | -------------------------------------------------------------------------------- /Chapter03/3.5.3 cm-test-pod-volume-mount-dir.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: cm-test-app 5 | spec: 6 | containers: 7 | - name: cm-test-app 8 | image: kubeguide/tomcat-app:v1 9 | imagePullPolicy: Never 10 | ports: 11 | - containerPort: 8080 12 | volumeMounts: 13 | - name: serverxml 14 | mountPath: /configfiles 15 | volumes: 16 | - name: serverxml 17 | configMap: 18 | name: cm-appconfigfiles 19 | -------------------------------------------------------------------------------- /Chapter03/3.6.1 dapi-envars-container.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: dapi-envars-resourcefieldref 5 | spec: 6 | containers: 7 | - name: test-container 8 | image: busybox 9 | imagePullPolicy: Never 10 | command: [ "sh", "-c"] 11 | args: 12 | - while true; do 13 | echo -en '\n'; 14 | printenv MY_CPU_REQUEST MY_CPU_LIMIT; 15 | printenv MY_MEM_REQUEST MY_MEM_LIMIT; 16 | sleep 10; 17 | done; 18 | args: 19 | - while true; do 20 | echo -en '\n'; 21 | printenv MY_CPU_REQUEST MY_CPU_LIMIT; 22 | printenv MY_MEM_REQUEST MY_MEM_LIMIT; 23 | sleep 3600; 24 | done; 25 | resources: 26 | requests: 27 | memory: "32Mi" 28 | cpu: "125m" 29 | limits: 30 | memory: "64Mi" 31 | cpu: "250m" 32 | env: 33 | - name: MY_CPU_REQUEST 34 | valueFrom: 35 | resourceFieldRef: 36 | containerName: test-container 37 | resource: requests.cpu 38 | - name: MY_CPU_LIMIT 39 | valueFrom: 40 | resourceFieldRef: 41 | containerName: test-container 42 | resource: limits.cpu 43 | - name: MY_MEM_REQUEST 44 | valueFrom: 45 | resourceFieldRef: 46 | containerName: test-container 47 | resource: requests.memory 48 | - name: MY_MEM_LIMIT 49 | valueFrom: 50 | resourceFieldRef: 51 | containerName: test-container 52 | resource: limits.memory 53 | restartPolicy: Never 54 | -------------------------------------------------------------------------------- /Chapter03/3.6.1 dapi-envars-pod.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: dapi-envars-fieldref 5 | spec: 6 | containers: 7 | - name: test-container 8 | image: busybox 9 | command: [ "sh", "-c"] 10 | args: 11 | - while true; do 12 | echo -en '\n'; 13 | printenv MY_NODE_NAME MY_POD_NAME MY_POD_NAMESPACE; 14 | printenv MY_POD_IP MY_POD_SERVICE_ACCOUNT; 15 | sleep 10; 16 | done; 17 | env: 18 | - name: MY_NODE_NAME 19 | valueFrom: 20 | fieldRef: 21 | fieldPath: spec.nodeName 22 | - name: MY_POD_NAME 23 | valueFrom: 24 | fieldRef: 25 | fieldPath: metadata.name 26 | - name: MY_POD_NAMESPACE 27 | valueFrom: 28 | fieldRef: 29 | fieldPath: metadata.namespace 30 | - name: MY_POD_IP 31 | valueFrom: 32 | fieldRef: 33 | fieldPath: status.podIP 34 | - name: MY_POD_SERVICE_ACCOUNT 35 | valueFrom: 36 | fieldRef: 37 | fieldPath: spec.serviceAccountName 38 | restartPolicy: Never 39 | -------------------------------------------------------------------------------- /Chapter03/3.6.2 dapi-volume-resources.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: kubernetes-downwardapi-volume-example-2 5 | spec: 6 | containers: 7 | - name: client-container 8 | image: busybox 9 | command: ["sh", "-c"] 10 | args: 11 | - while true; do 12 | echo -en '\n'; 13 | if [[ -e /etc/podinfo/cpu_limit ]]; then 14 | echo -en '\n'; cat /etc/podinfo/cpu_limit; fi; 15 | if [[ -e /etc/podinfo/cpu_request ]]; then 16 | echo -en '\n'; cat /etc/podinfo/cpu_request; fi; 17 | if [[ -e /etc/podinfo/mem_limit ]]; then 18 | echo -en '\n'; cat /etc/podinfo/mem_limit; fi; 19 | if [[ -e /etc/podinfo/mem_request ]]; then 20 | echo -en '\n'; cat /etc/podinfo/mem_request; fi; 21 | sleep 5; 22 | done; 23 | resources: 24 | requests: 25 | memory: "32Mi" 26 | cpu: "125m" 27 | limits: 28 | memory: "64Mi" 29 | cpu: "250m" 30 | volumeMounts: 31 | - name: podinfo 32 | mountPath: /etc/podinfo 33 | volumes: 34 | - name: podinfo 35 | downwardAPI: 36 | items: 37 | - path: "cpu_limit" 38 | resourceFieldRef: 39 | containerName: client-container 40 | resource: limits.cpu 41 | divisor: 1m 42 | - path: "cpu_request" 43 | resourceFieldRef: 44 | containerName: client-container 45 | resource: requests.cpu 46 | divisor: 1m 47 | - path: "mem_limit" 48 | resourceFieldRef: 49 | containerName: client-container 50 | resource: limits.memory 51 | divisor: 1Mi 52 | - path: "mem_request" 53 | resourceFieldRef: 54 | containerName: client-container 55 | resource: requests.memory 56 | divisor: 1Mi 57 | -------------------------------------------------------------------------------- /Chapter03/3.6.2 dapi-volume.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: kubernetes-downwardapi-volume-example 5 | labels: 6 | zone: us-est-coast 7 | cluster: test-cluster1 8 | rack: rack-22 9 | annotations: 10 | build: two 11 | builder: john-doe 12 | spec: 13 | containers: 14 | - name: client-container 15 | image: busybox 16 | command: ["sh", "-c"] 17 | args: 18 | - while true; do 19 | if [[ -e /etc/podinfo/labels ]]; then 20 | echo -en '\n\n'; cat /etc/podinfo/labels; fi; 21 | if [[ -e /etc/podinfo/annotations ]]; then 22 | echo -en '\n\n'; cat /etc/podinfo/annotations; fi; 23 | sleep 5; 24 | done; 25 | volumeMounts: 26 | - name: podinfo 27 | mountPath: /etc/podinfo 28 | volumes: 29 | - name: podinfo 30 | downwardAPI: 31 | items: 32 | - path: "labels" 33 | fieldRef: 34 | fieldPath: metadata.labels 35 | - path: "annotations" 36 | fieldRef: 37 | fieldPath: metadata.annotations 38 | -------------------------------------------------------------------------------- /Chapter03/3.8 pod-livenessprobe.yaml: -------------------------------------------------------------------------------- 1 | # exec 2 | --- 3 | apiVersion: v1 4 | kind: Pod 5 | metadata: 6 | labels: 7 | test: liveness 8 | name: liveness-exec 9 | spec: 10 | containers: 11 | - name: liveness 12 | image: gcr.io/google_containers/busybox 13 | args: 14 | - /bin/sh 15 | - -c 16 | - echo ok > /tmp/health; sleep 10; rm -rf /tmp/health; sleep 600 17 | livenessProbe: 18 | exec: 19 | command: 20 | - cat 21 | - /tmp/health 22 | initialDelaySeconds: 15 23 | timeoutSeconds: 1 24 | 25 | 26 | 27 | # tcpsocket 28 | --- 29 | apiVersion: v1 30 | kind: Pod 31 | metadata: 32 | name: pod-with-healthcheck 33 | spec: 34 | containers: 35 | - name: nginx 36 | image: nginx 37 | ports: 38 | - containerPort: 80 39 | livenessProbe: 40 | tcpSocket: 41 | port: 80 42 | initialDelaySeconds: 30 43 | timeoutSeconds: 1 44 | 45 | 46 | 47 | # http 48 | --- 49 | apiVersion: v1 50 | kind: Pod 51 | metadata: 52 | name: pod-with-healthcheck 53 | spec: 54 | containers: 55 | - name: nginx 56 | image: nginx 57 | ports: 58 | - containerPort: 80 59 | livenessProbe: 60 | httpGet: 61 | path: /_status/healthz 62 | port: 80 63 | initialDelaySeconds: 30 64 | timeoutSeconds: 1 65 | 66 | -------------------------------------------------------------------------------- /Chapter03/3.9.1 nginx-deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: nginx-deployment 5 | spec: 6 | selector: 7 | matchLabels: 8 | app: nginx 9 | replicas: 3 10 | template: 11 | metadata: 12 | labels: 13 | app: nginx 14 | spec: 15 | containers: 16 | - name: nginx 17 | image: nginx:1.7.9 18 | ports: 19 | - containerPort: 80 20 | -------------------------------------------------------------------------------- /Chapter03/3.9.10 customized-scheduler.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Pod 4 | metadata: 5 | name: nginx 6 | labels: 7 | app: nginx 8 | spec: 9 | schedulerName: my-scheduler 10 | containers: 11 | - name: nginx 12 | image: nginx 13 | 14 | 15 | 16 | # customized scheduler, need to run through kubectl proxy 17 | #!/bin/bash 18 | SERVER='localhost:8001' 19 | while true; 20 | do 21 | for PODNAME in $(kubectl --server $SERVER get pods -o json | jq '.items[] | select(.spec.schedulerName == "my-scheduler") | select(.spec.nodeName == null) | .metadata.name' | tr -d '"'); 22 | do 23 | NODES=($(kubectl --server $SERVER get nodes -o json | jq '.items[].metadata.name' | tr -d '"')) 24 | NUMNODES=${#NODES[@]} 25 | CHOSEN=${NODES[$[ $RANDOM % $NUMNODES ]]} 26 | curl --header "Content-Type:application/json" --request POST --data '{"apiVersion":"v1", "kind": "Binding", "metadata": {"name": "'$PODNAME'"}, "target": {"apiVersion": "v1", "kind": "Node", "name":"'$CHOSEN'"}}' http://$SERVER/api/v1/namespaces/default/pods/$PODNAME/binding/ 27 | echo "Assigned $PODNAME to $CHOSEN" 28 | done 29 | sleep 1 30 | done 31 | -------------------------------------------------------------------------------- /Chapter03/3.9.2 redis-rc-nodeselector.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ReplicationController 3 | metadata: 4 | name: redis-master 5 | labels: 6 | name: redis-master 7 | spec: 8 | replicas: 1 9 | selector: 10 | name: redis-master 11 | template: 12 | metadata: 13 | labels: 14 | name: redis-master 15 | spec: 16 | containers: 17 | - name: master 18 | image: kubeguide/redis-master 19 | ports: 20 | - containerPort: 6379 21 | nodeSelector: 22 | zone: north -------------------------------------------------------------------------------- /Chapter03/3.9.3 pod-nodeaffinity.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: with-node-affinity 5 | spec: 6 | affinity: 7 | nodeAffinity: 8 | requiredDuringSchedulingIgnoredDuringExecution: 9 | nodeSelectorTerms: 10 | - matchExpressions: 11 | - key: beta.kubernetes.io/arch 12 | operator: In 13 | values: 14 | - amd64 15 | preferredDuringSchedulingIgnoredDuringExecution: 16 | - weight: 1 17 | preference: 18 | matchExpressions: 19 | - key: disk-type 20 | operator: In 21 | values: 22 | - ssd 23 | containers: 24 | - name: with-node-affinity 25 | image: gcr.io/google_containers/pause:2.0 26 | -------------------------------------------------------------------------------- /Chapter03/3.9.4 pod-podaffinity.yaml: -------------------------------------------------------------------------------- 1 | # target pod 2 | --- 3 | apiVersion: v1 4 | kind: Pod 5 | metadata: 6 | name: pod-flag 7 | labels: 8 | security: "S1" 9 | app: "nginx" 10 | spec: 11 | containers: 12 | - name: nginx 13 | image: nginx 14 | 15 | 16 | 17 | # affinity 18 | --- 19 | apiVersion: v1 20 | kind: Pod 21 | metadata: 22 | name: pod-affinity 23 | spec: 24 | affinity: 25 | podAffinity: 26 | requiredDuringSchedulingIgnoredDuringExecution: 27 | - labelSelector: 28 | matchExpressions: 29 | - key: security 30 | operator: In 31 | values: 32 | - S1 33 | topologyKey: kubernetes.io/hostname 34 | containers: 35 | - name: with-pod-affinity 36 | image: gcr.io/google_containers/pause:2.0 37 | 38 | 39 | 40 | 41 | # anti-affinity 42 | --- 43 | apiVersion: v1 44 | kind: Pod 45 | metadata: 46 | name: anti-affinity 47 | spec: 48 | affinity: 49 | podAffinity: 50 | requiredDuringSchedulingIgnoredDuringExecution: 51 | - labelSelector: 52 | matchExpressions: 53 | - key: security 54 | operator: In 55 | values: 56 | - S1 57 | topologyKey: topology.kubernetes.io/zone 58 | podAntiAffinity: 59 | requiredDuringSchedulingIgnoredDuringExecution: 60 | - labelSelector: 61 | matchExpressions: 62 | - key: app 63 | operator: In 64 | values: 65 | - nginx 66 | topologyKey: kubernetes.io/hostname 67 | containers: 68 | - name: anti-affinity 69 | image: gcr.io/google_containers/pause:2.0 70 | -------------------------------------------------------------------------------- /Chapter03/3.9.5 pod-taints-tolerations.yaml: -------------------------------------------------------------------------------- 1 | # can be scheduled to node1 2 | 3 | $ kubectl taint nodes node1 key=value:NoSchedule 4 | 5 | --- 6 | apiVersion: v1 7 | kind: Pod 8 | metadata: 9 | name: pod-toleration 10 | spec: 11 | tolerations: 12 | - key: "key" 13 | operator: "Equal" 14 | value: "value" 15 | effect: "NoSchedule" 16 | containers: 17 | - name: pod-toleration 18 | image: gcr.io/google_containers/pause:2.0 19 | 20 | --- 21 | tolerations: 22 | - key: "key" 23 | operator: "Exists" 24 | effect: "NoSchedule" 25 | 26 | 27 | 28 | 29 | # can't be scheduled to node1 30 | 31 | $ kubectl taint nodes node1 key1=value1:NoSchedule 32 | $ kubectl taint nodes node1 key1=value1:NoExecute 33 | $ kubectl taint nodes node1 key2=value2:NoSchedule 34 | 35 | 36 | --- 37 | tolerations: 38 | - key: "key1" 39 | operator: "Equal" 40 | value: "value1" 41 | effect: "NoSchedule" 42 | - key: "key1" 43 | operator: "Equal" 44 | value: "value1" 45 | effect: "NoExecute" 46 | -------------------------------------------------------------------------------- /Chapter03/3.9.6 pod-priority.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: scheduling.k8s.io/v1beta1 3 | kind: PriorityClass 4 | metadata: 5 | name: high-priority 6 | value: 1000000 7 | globalDefault: false 8 | description: "This priority class should be used for XYZ service pods only." 9 | 10 | 11 | --- 12 | apiVersion: v1 13 | kind: Pod 14 | metadata: 15 | name: nginx 16 | labels: 17 | env: test 18 | spec: 19 | containers: 20 | - name: nginx 21 | image: nginx 22 | imagePullPolicy: IfNotPresent 23 | priorityClassName: high-priority 24 | -------------------------------------------------------------------------------- /Chapter03/3.9.7 daemonset.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: DaemonSet 3 | metadata: 4 | name: fluentd-cloud-logging 5 | namespace: kube-system 6 | labels: 7 | k8s-app: fluentd-cloud-logging 8 | spec: 9 | selector: 10 | matchLabels: 11 | k8s-app: fluentd-cloud-logging 12 | template: 13 | metadata: 14 | namespace: kube-system 15 | labels: 16 | k8s-app: fluentd-cloud-logging 17 | spec: 18 | containers: 19 | - name: fluentd-cloud-logging 20 | image: gcr.io/google_containers/fluentd-elasticsearch:1.17 21 | resources: 22 | limits: 23 | cpu: 100m 24 | memory: 200Mi 25 | env: 26 | - name: FLUENTD_ARGS 27 | value: -q 28 | volumeMounts: 29 | - name: varlog 30 | mountPath: /var/log 31 | readOnly: false 32 | - name: containers 33 | mountPath: /var/lib/docker/containers 34 | readOnly: false 35 | volumes: 36 | - name: containers 37 | hostPath: 38 | path: /var/lib/docker/containers 39 | - name: varlog 40 | hostPath: 41 | path: /var/log 42 | -------------------------------------------------------------------------------- /Chapter03/3.9.8 job.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: batch/v1 2 | kind: Job 3 | metadata: 4 | name: process-item-$ITEM 5 | labels: 6 | jobgroup: jobexample 7 | spec: 8 | template: 9 | metadata: 10 | name: jobexample 11 | labels: 12 | jobgroup: jobexample 13 | spec: 14 | containers: 15 | - name: c 16 | image: busybox 17 | command: ["sh", "-c", "echo Processing item $ITEM && sleep 5"] 18 | restartPolicy: Never 19 | -------------------------------------------------------------------------------- /Chapter03/3.9.9 cronjob.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: batch/v1 2 | kind: CronJob 3 | metadata: 4 | name: hello 5 | spec: 6 | schedule: "*/1 * * * *" 7 | jobTemplate: 8 | spec: 9 | template: 10 | spec: 11 | containers: 12 | - name: hello 13 | image: busybox 14 | args: 15 | - /bin/sh 16 | - -c 17 | - date; echo Hello from the Kubernetes cluster 18 | restartPolicy: OnFailure 19 | -------------------------------------------------------------------------------- /Chapter04/4.2 webapp-deploy-service.yaml: -------------------------------------------------------------------------------- 1 | # webapp-deployment.yaml 2 | --- 3 | apiVersion: apps/v1 4 | kind: Deployment 5 | metadata: 6 | name: webapp 7 | spec: 8 | replicas: 2 9 | selector: 10 | matchLabels: 11 | app: webapp 12 | template: 13 | metadata: 14 | labels: 15 | app: webapp 16 | spec: 17 | containers: 18 | - name: webapp 19 | image: kubeguide/tomcat-app:v1 20 | ports: 21 | - containerPort: 8080 22 | 23 | 24 | # webapp-service.yaml 25 | --- 26 | apiVersion: v1 27 | kind: Service 28 | metadata: 29 | name: webapp 30 | spec: 31 | ports: 32 | - protocol: TCP 33 | port: 8080 34 | targetPort: 8080 35 | selector: 36 | app: webapp 37 | -------------------------------------------------------------------------------- /Chapter04/4.2.2 service-sessionaffinity.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: webapp 6 | spec: 7 | sessionAffinity: ClientIP 8 | ports: 9 | - protocol: TCP 10 | port: 8080 11 | targetPort: 8080 12 | selector: 13 | app: webapp 14 | 15 | 16 | # webapp-service.yaml 17 | --- 18 | apiVersion: v1 19 | kind: Service 20 | metadata: 21 | name: webapp 22 | spec: 23 | sessionAffinity: ClientIP 24 | sessionAffinityConfig: 25 | clientIP: 26 | timeoutSeconds: 10800 27 | ports: 28 | - protocol: TCP 29 | port: 8080 30 | targetPort: 8080 31 | selector: 32 | app: webapp 33 | -------------------------------------------------------------------------------- /Chapter04/4.2.3 service-multiple-ports.yaml: -------------------------------------------------------------------------------- 1 | # multiple ports 2 | --- 3 | apiVersion: v1 4 | kind: Service 5 | metadata: 6 | name: webapp 7 | spec: 8 | ports: 9 | - port: 8080 10 | targetPort: 8080 11 | name: web 12 | - port: 8005 13 | targetPort: 8005 14 | name: management 15 | selector: 16 | app: webapp 17 | 18 | --- 19 | apiVersion: v1 20 | kind: Service 21 | metadata: 22 | name: kube-dns 23 | namespace: kube-system 24 | labels: 25 | k8s-app: kube-dns 26 | kubernetes.io/cluster-service: "true" 27 | kubernetes.io/name: "KubeDNS" 28 | spec: 29 | selector: 30 | k8s-app: kube-dns 31 | clusterIP: 169.169.0.100 32 | ports: 33 | - name: dns 34 | port: 53 35 | protocol: UDP 36 | - name: dns-tcp 37 | port: 53 38 | protocol: TCP 39 | -------------------------------------------------------------------------------- /Chapter04/4.2.4 external-service.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | kind: Service 3 | apiVersion: v1 4 | metadata: 5 | name: my-service 6 | spec: 7 | ports: 8 | - protocol: TCP 9 | port: 80 10 | targetPort: 80 11 | 12 | --- 13 | kind: Endpoints 14 | apiVersion: v1 15 | metadata: 16 | name: my-service 17 | subsets: 18 | - addresses: 19 | - ip: 1.2.3.4 20 | ports: 21 | - port: 80 22 | -------------------------------------------------------------------------------- /Chapter04/4.2.5 pod-hostport.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: webapp 5 | labels: 6 | app: webapp 7 | spec: 8 | containers: 9 | - name: webapp 10 | image: tomcat 11 | ports: 12 | - containerPort: 8080 13 | hostPort: 8081 -------------------------------------------------------------------------------- /Chapter04/4.2.5 service-expose-to-external.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: webapp 6 | spec: 7 | type: NodePort 8 | ports: 9 | - port: 8080 10 | targetPort: 8080 11 | nodePort: 8081 12 | selector: 13 | app: webapp 14 | 15 | 16 | --- 17 | apiVersion: v1 18 | kind: Service 19 | metadata: 20 | name: my-service 21 | spec: 22 | type: LoadBalancer 23 | selector: 24 | app: MyApp 25 | ports: 26 | - protocol: TCP 27 | port: 80 28 | targetPort: 9376 29 | clusterIP: 10.0.171.239 30 | 31 | 32 | --- 33 | apiVersion: v1 34 | kind: Service 35 | metadata: 36 | name: my-service 37 | namespace: prod 38 | spec: 39 | type: ExternalName 40 | externalName: my.database.example.com 41 | -------------------------------------------------------------------------------- /Chapter04/4.2.6 service-AppProtocol.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: webapp 5 | spec: 6 | ports: 7 | - port: 8080 8 | targetPort: 8080 9 | AppProtocol: HTTP 10 | selector: 11 | app: webapp 12 | -------------------------------------------------------------------------------- /Chapter04/4.2.8 nginx-headless-service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: nginx 5 | labels: 6 | app: nginx 7 | spec: 8 | ports: 9 | - port: 80 10 | clusterIP: None 11 | selector: 12 | app: nginx 13 | -------------------------------------------------------------------------------- /Chapter04/4.2.9 service-topology.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: webapp 6 | spec: 7 | selector: 8 | app: webapp 9 | ports: 10 | - port: 8080 11 | topologyKeys: 12 | - "kubernetes.io/hostname" 13 | 14 | 15 | --- 16 | apiVersion: v1 17 | kind: Service 18 | metadata: 19 | name: webapp 20 | spec: 21 | selector: 22 | app: webapp 23 | ports: 24 | - port: 8080 25 | topologyKeys: 26 | - "kubernetes.io/hostname" 27 | - "*" 28 | 29 | 30 | --- 31 | apiVersion: v1 32 | kind: Service 33 | metadata: 34 | name: webapp 35 | spec: 36 | selector: 37 | app: webapp 38 | ports: 39 | - port: 8080 40 | topologyKeys: 41 | - "topology.kubernetes.io/zone" 42 | - "topology.kubernetes.io/region" 43 | 44 | 45 | --- 46 | apiVersion: v1 47 | kind: Service 48 | metadata: 49 | name: webapp 50 | spec: 51 | selector: 52 | app: webapp 53 | ports: 54 | - port: 8080 55 | topologyKeys: 56 | - "kubernetes.io/hostname" 57 | - "topology.kubernetes.io/zone" 58 | - "topology.kubernetes.io/region" 59 | - "*" 60 | -------------------------------------------------------------------------------- /Chapter04/4.3.2 coredns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: coredns 6 | namespace: kube-system 7 | labels: 8 | addonmanager.kubernetes.io/mode: EnsureExists 9 | data: 10 | Corefile: | 11 | cluster.local { 12 | errors 13 | health { 14 | lameduck 5s 15 | } 16 | ready 17 | kubernetes cluster.local 169.169.0.0/16 { 18 | fallthrough in-addr.arpa ip6.arpa 19 | } 20 | prometheus :9153 21 | forward . /etc/resolv.conf 22 | cache 30 23 | loop 24 | reload 25 | loadbalance 26 | } 27 | . { 28 | cache 30 29 | loadbalance 30 | forward . /etc/resolv.conf 31 | } 32 | 33 | 34 | --- 35 | apiVersion: apps/v1 36 | kind: Deployment 37 | metadata: 38 | name: coredns 39 | namespace: kube-system 40 | labels: 41 | k8s-app: kube-dns 42 | kubernetes.io/name: "CoreDNS" 43 | spec: 44 | replicas: 1 45 | strategy: 46 | type: RollingUpdate 47 | rollingUpdate: 48 | maxUnavailable: 1 49 | selector: 50 | matchLabels: 51 | k8s-app: kube-dns 52 | template: 53 | metadata: 54 | labels: 55 | k8s-app: kube-dns 56 | spec: 57 | priorityClassName: system-cluster-critical 58 | tolerations: 59 | - key: "CriticalAddonsOnly" 60 | operator: "Exists" 61 | nodeSelector: 62 | kubernetes.io/os: linux 63 | affinity: 64 | podAntiAffinity: 65 | preferredDuringSchedulingIgnoredDuringExecution: 66 | - weight: 100 67 | podAffinityTerm: 68 | labelSelector: 69 | matchExpressions: 70 | - key: k8s-app 71 | operator: In 72 | values: ["kube-dns"] 73 | topologyKey: kubernetes.io/hostname 74 | containers: 75 | - name: coredns 76 | image: coredns/coredns:1.7.0 77 | imagePullPolicy: IfNotPresent 78 | resources: 79 | limits: 80 | memory: 170Mi 81 | requests: 82 | cpu: 100m 83 | memory: 70Mi 84 | args: [ "-conf", "/etc/coredns/Corefile" ] 85 | volumeMounts: 86 | - name: config-volume 87 | mountPath: /etc/coredns 88 | readOnly: true 89 | ports: 90 | - containerPort: 53 91 | name: dns 92 | protocol: UDP 93 | - containerPort: 53 94 | name: dns-tcp 95 | protocol: TCP 96 | - containerPort: 9153 97 | name: metrics 98 | protocol: TCP 99 | securityContext: 100 | allowPrivilegeEscalation: false 101 | capabilities: 102 | add: 103 | - NET_BIND_SERVICE 104 | drop: 105 | - all 106 | readOnlyRootFilesystem: true 107 | livenessProbe: 108 | httpGet: 109 | path: /health 110 | port: 8080 111 | scheme: HTTP 112 | initialDelaySeconds: 60 113 | timeoutSeconds: 5 114 | successThreshold: 1 115 | failureThreshold: 5 116 | readinessProbe: 117 | httpGet: 118 | path: /ready 119 | port: 8181 120 | scheme: HTTP 121 | dnsPolicy: Default 122 | volumes: 123 | - name: config-volume 124 | configMap: 125 | name: coredns 126 | items: 127 | - key: Corefile 128 | path: Corefile 129 | 130 | 131 | --- 132 | apiVersion: v1 133 | kind: Service 134 | metadata: 135 | name: kube-dns 136 | namespace: kube-system 137 | annotations: 138 | prometheus.io/port: "9153" 139 | prometheus.io/scrape: "true" 140 | labels: 141 | k8s-app: kube-dns 142 | kubernetes.io/cluster-service: "true" 143 | kubernetes.io/name: "CoreDNS" 144 | spec: 145 | selector: 146 | k8s-app: kube-dns 147 | clusterIP: 169.169.0.100 148 | ports: 149 | - name: dns 150 | port: 53 151 | protocol: UDP 152 | - name: dns-tcp 153 | port: 53 154 | protocol: TCP 155 | - name: metrics 156 | port: 9153 157 | protocol: TCP 158 | 159 | 160 | # app to test service name dns resolution 161 | --- 162 | apiVersion: v1 163 | kind: Pod 164 | metadata: 165 | name: busybox 166 | namespace: default 167 | spec: 168 | containers: 169 | - name: busybox 170 | image: gcr.io/google_containers/busybox 171 | command: 172 | - sleep 173 | - "3600" 174 | 175 | 176 | kubectl exec busybox -- nslookup redis-master 177 | -------------------------------------------------------------------------------- /Chapter04/4.4 nodelocaldns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: node-local-dns 6 | namespace: kube-system 7 | labels: 8 | kubernetes.io/cluster-service: "true" 9 | addonmanager.kubernetes.io/mode: Reconcile 10 | 11 | 12 | --- 13 | apiVersion: v1 14 | kind: Service 15 | metadata: 16 | name: kube-dns-upstream 17 | namespace: kube-system 18 | labels: 19 | k8s-app: kube-dns 20 | kubernetes.io/cluster-service: "true" 21 | addonmanager.kubernetes.io/mode: Reconcile 22 | kubernetes.io/name: "KubeDNSUpstream" 23 | spec: 24 | ports: 25 | - name: dns 26 | port: 53 27 | protocol: UDP 28 | targetPort: 53 29 | - name: dns-tcp 30 | port: 53 31 | protocol: TCP 32 | targetPort: 53 33 | selector: 34 | k8s-app: kube-dns 35 | 36 | 37 | --- 38 | apiVersion: v1 39 | kind: ConfigMap 40 | metadata: 41 | name: node-local-dns 42 | namespace: kube-system 43 | labels: 44 | addonmanager.kubernetes.io/mode: Reconcile 45 | data: 46 | Corefile: | 47 | cluster.local:53 { 48 | errors 49 | cache { 50 | success 9984 30 51 | denial 9984 5 52 | } 53 | reload 54 | loop 55 | bind 169.254.20.10 56 | forward . 169.169.0.100 { 57 | force_tcp 58 | } 59 | prometheus :9253 60 | health 169.254.20.10:8081 61 | } 62 | in-addr.arpa:53 { 63 | errors 64 | cache 30 65 | reload 66 | loop 67 | bind 169.254.20.10 68 | forward . 169.169.0.100 { 69 | force_tcp 70 | } 71 | prometheus :9253 72 | } 73 | ip6.arpa:53 { 74 | errors 75 | cache 30 76 | reload 77 | loop 78 | bind 169.254.20.10 79 | forward . 169.169.0.100 { 80 | force_tcp 81 | } 82 | prometheus :9253 83 | } 84 | .:53 { 85 | errors 86 | cache 30 87 | reload 88 | loop 89 | bind 169.254.20.10 90 | forward . 169.169.0.100 { 91 | force_tcp 92 | } 93 | prometheus :9253 94 | } 95 | 96 | 97 | --- 98 | apiVersion: apps/v1 99 | kind: DaemonSet 100 | metadata: 101 | name: node-local-dns 102 | namespace: kube-system 103 | labels: 104 | k8s-app: node-local-dns 105 | kubernetes.io/cluster-service: "true" 106 | addonmanager.kubernetes.io/mode: Reconcile 107 | spec: 108 | updateStrategy: 109 | rollingUpdate: 110 | maxUnavailable: 10% 111 | selector: 112 | matchLabels: 113 | k8s-app: node-local-dns 114 | template: 115 | metadata: 116 | labels: 117 | k8s-app: node-local-dns 118 | annotations: 119 | prometheus.io/port: "9253" 120 | prometheus.io/scrape: "true" 121 | spec: 122 | priorityClassName: system-node-critical 123 | serviceAccountName: node-local-dns 124 | hostNetwork: true 125 | dnsPolicy: Default # Don't use cluster DNS. 126 | tolerations: 127 | - key: "CriticalAddonsOnly" 128 | operator: "Exists" 129 | - effect: "NoExecute" 130 | operator: "Exists" 131 | - effect: "NoSchedule" 132 | operator: "Exists" 133 | containers: 134 | - name: node-cache 135 | image: k8s.gcr.io/k8s-dns-node-cache:1.15.13 136 | resources: 137 | requests: 138 | cpu: 25m 139 | memory: 5Mi 140 | args: [ "-localip", "169.254.20.10", "-conf", "/etc/Corefile", "-upstreamsvc", "kube-dns-upstream" ] 141 | securityContext: 142 | privileged: true 143 | ports: 144 | - containerPort: 53 145 | name: dns 146 | protocol: UDP 147 | - containerPort: 53 148 | name: dns-tcp 149 | protocol: TCP 150 | - containerPort: 9253 151 | name: metrics 152 | protocol: TCP 153 | livenessProbe: 154 | httpGet: 155 | host: 169.254.20.10 156 | path: /health 157 | port: 8081 158 | initialDelaySeconds: 60 159 | timeoutSeconds: 5 160 | volumeMounts: 161 | - mountPath: /run/xtables.lock 162 | name: xtables-lock 163 | readOnly: false 164 | - name: config-volume 165 | mountPath: /etc/coredns 166 | - name: kube-dns-config 167 | mountPath: /etc/kube-dns 168 | volumes: 169 | - name: xtables-lock 170 | hostPath: 171 | path: /run/xtables.lock 172 | type: FileOrCreate 173 | - name: kube-dns-config 174 | configMap: 175 | name: coredns 176 | optional: true 177 | - name: config-volume 178 | configMap: 179 | name: node-local-dns 180 | items: 181 | - key: Corefile 182 | path: Corefile.base 183 | -------------------------------------------------------------------------------- /Chapter04/4.4.1 pod-hostnetwork.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: webapp 5 | labels: 6 | app: webapp 7 | spec: 8 | hostNetwork: true 9 | containers: 10 | - name: webapp 11 | image: tomcat 12 | imagePullPolicy: Never 13 | ports: 14 | - containerPort: 8080 -------------------------------------------------------------------------------- /Chapter04/4.5.2 pod-customize-hostname-subdomain.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Pod 4 | metadata: 5 | name: webapp1 6 | labels: 7 | app: webapp1 8 | spec: 9 | hostname: webapp-1 10 | subdomain: mysubdomain 11 | containers: 12 | - name: webapp1 13 | image: kubeguide/tomcat-app:v1 14 | ports: 15 | - containerPort: 8080 16 | 17 | 18 | --- 19 | apiVersion: v1 20 | kind: Service 21 | metadata: 22 | name: mysubdomain 23 | spec: 24 | selector: 25 | app: webapp 26 | clusterIP: None 27 | ports: 28 | - port: 8080 29 | -------------------------------------------------------------------------------- /Chapter04/4.5.3 pod-dnspolicy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: nginx 5 | spec: 6 | containers: 7 | - name: nginx 8 | image: nginx 9 | hostNetwork: true 10 | dnsPolicy: ClusterFirstWithHostNet 11 | -------------------------------------------------------------------------------- /Chapter04/4.5.4 pod-dnsconfig.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: custom-dns 5 | spec: 6 | containers: 7 | - name: custom-dns 8 | image: tomcat 9 | imagePullPolicy: IfNotPresent 10 | ports: 11 | - containerPort: 8080 12 | dnsPolicy: "None" 13 | dnsConfig: 14 | nameservers: 15 | - 8.8.8.8 16 | searches: 17 | - ns1.svc.cluster-domain.example 18 | - my.dns.search.suffix 19 | options: 20 | - name: ndots 21 | value: "2" 22 | - name: edns0 23 | -------------------------------------------------------------------------------- /Chapter04/4.6.1 nginx-ingress-controller.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: nginx-ingress 6 | 7 | 8 | --- 9 | apiVersion: v1 10 | kind: ServiceAccount 11 | metadata: 12 | name: nginx-ingress 13 | namespace: nginx-ingress 14 | 15 | 16 | --- 17 | kind: ClusterRole 18 | apiVersion: rbac.authorization.k8s.io/v1 19 | metadata: 20 | name: nginx-ingress 21 | rules: 22 | - apiGroups: 23 | - "" 24 | resources: 25 | - services 26 | - endpoints 27 | verbs: 28 | - get 29 | - list 30 | - watch 31 | - apiGroups: 32 | - "" 33 | resources: 34 | - secrets 35 | verbs: 36 | - get 37 | - list 38 | - watch 39 | - apiGroups: 40 | - "" 41 | resources: 42 | - configmaps 43 | verbs: 44 | - get 45 | - list 46 | - watch 47 | - update 48 | - create 49 | - apiGroups: 50 | - "" 51 | resources: 52 | - pods 53 | verbs: 54 | - list 55 | - watch 56 | - apiGroups: 57 | - "" 58 | resources: 59 | - events 60 | verbs: 61 | - create 62 | - patch 63 | - list 64 | - apiGroups: 65 | - extensions 66 | resources: 67 | - ingresses 68 | verbs: 69 | - list 70 | - watch 71 | - get 72 | - apiGroups: 73 | - "extensions" 74 | resources: 75 | - ingresses/status 76 | verbs: 77 | - update 78 | - apiGroups: 79 | - k8s.nginx.org 80 | resources: 81 | - virtualservers 82 | - virtualserverroutes 83 | - globalconfigurations 84 | - transportservers 85 | - policies 86 | verbs: 87 | - list 88 | - watch 89 | - get 90 | - apiGroups: 91 | - k8s.nginx.org 92 | resources: 93 | - virtualservers/status 94 | - virtualserverroutes/status 95 | verbs: 96 | - update 97 | --- 98 | kind: ClusterRoleBinding 99 | apiVersion: rbac.authorization.k8s.io/v1 100 | metadata: 101 | name: nginx-ingress 102 | subjects: 103 | - kind: ServiceAccount 104 | name: nginx-ingress 105 | namespace: nginx-ingress 106 | roleRef: 107 | kind: ClusterRole 108 | name: nginx-ingress 109 | apiGroup: rbac.authorization.k8s.io 110 | 111 | 112 | --- 113 | apiVersion: v1 114 | kind: Secret 115 | metadata: 116 | name: default-server-secret 117 | namespace: nginx-ingress 118 | type: Opaque 119 | data: 120 | tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN2akNDQWFZQ0NRREFPRjl0THNhWFhEQU5CZ2txaGtpRzl3MEJBUXNGQURBaE1SOHdIUVlEVlFRRERCWk8KUjBsT1dFbHVaM0psYzNORGIyNTBjbTlzYkdWeU1CNFhEVEU0TURreE1qRTRNRE16TlZvWERUSXpNRGt4TVRFNApNRE16TlZvd0lURWZNQjBHQTFVRUF3d1dUa2RKVGxoSmJtZHlaWE56UTI5dWRISnZiR3hsY2pDQ0FTSXdEUVlKCktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUwvN2hIUEtFWGRMdjNyaUM3QlBrMTNpWkt5eTlyQ08KR2xZUXYyK2EzUDF0azIrS3YwVGF5aGRCbDRrcnNUcTZzZm8vWUk1Y2Vhbkw4WGM3U1pyQkVRYm9EN2REbWs1Qgo4eDZLS2xHWU5IWlg0Rm5UZ0VPaStlM2ptTFFxRlBSY1kzVnNPazFFeUZBL0JnWlJVbkNHZUtGeERSN0tQdGhyCmtqSXVuektURXUyaDU4Tlp0S21ScUJHdDEwcTNRYzhZT3ExM2FnbmovUWRjc0ZYYTJnMjB1K1lYZDdoZ3krZksKWk4vVUkxQUQ0YzZyM1lma1ZWUmVHd1lxQVp1WXN2V0RKbW1GNWRwdEMzN011cDBPRUxVTExSakZJOTZXNXIwSAo1TmdPc25NWFJNV1hYVlpiNWRxT3R0SmRtS3FhZ25TZ1JQQVpQN2MwQjFQU2FqYzZjNGZRVXpNQ0F3RUFBVEFOCkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQWpLb2tRdGRPcEsrTzhibWVPc3lySmdJSXJycVFVY2ZOUitjb0hZVUoKdGhrYnhITFMzR3VBTWI5dm15VExPY2xxeC9aYzJPblEwMEJCLzlTb0swcitFZ1U2UlVrRWtWcitTTFA3NTdUWgozZWI4dmdPdEduMS9ienM3bzNBaS9kclkrcUI5Q2k1S3lPc3FHTG1US2xFaUtOYkcyR1ZyTWxjS0ZYQU80YTY3Cklnc1hzYktNbTQwV1U3cG9mcGltU1ZmaXFSdkV5YmN3N0NYODF6cFErUyt1eHRYK2VBZ3V0NHh3VlI5d2IyVXYKelhuZk9HbWhWNThDd1dIQnNKa0kxNXhaa2VUWXdSN0diaEFMSkZUUkk3dkhvQXprTWIzbjAxQjQyWjNrN3RXNQpJUDFmTlpIOFUvOWxiUHNoT21FRFZkdjF5ZytVRVJxbStGSis2R0oxeFJGcGZnPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= 121 | tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBdi91RWM4b1JkMHUvZXVJTHNFK1RYZUprckxMMnNJNGFWaEMvYjVyYy9XMlRiNHEvClJOcktGMEdYaVN1eE9ycXgrajlnamx4NXFjdnhkenRKbXNFUkJ1Z1B0ME9hVGtIekhvb3FVWmcwZGxmZ1dkT0EKUTZMNTdlT1l0Q29VOUZ4amRXdzZUVVRJVUQ4R0JsRlNjSVo0b1hFTkhzbysyR3VTTWk2Zk1wTVM3YUhudzFtMApxWkdvRWEzWFNyZEJ6eGc2clhkcUNlUDlCMXl3VmRyYURiUzc1aGQzdUdETDU4cGszOVFqVUFQaHpxdmRoK1JWClZGNGJCaW9CbTVpeTlZTW1hWVhsMm0wTGZzeTZuUTRRdFFzdEdNVWozcGJtdlFmazJBNnljeGRFeFpkZFZsdmwKMm82MjBsMllxcHFDZEtCRThCay90elFIVTlKcU56cHpoOUJUTXdJREFRQUJBb0lCQVFDZklHbXowOHhRVmorNwpLZnZJUXQwQ0YzR2MxNld6eDhVNml4MHg4Mm15d1kxUUNlL3BzWE9LZlRxT1h1SENyUlp5TnUvZ2IvUUQ4bUFOCmxOMjRZTWl0TWRJODg5TEZoTkp3QU5OODJDeTczckM5bzVvUDlkazAvYzRIbjAzSkVYNzZ5QjgzQm9rR1FvYksKMjhMNk0rdHUzUmFqNjd6Vmc2d2szaEhrU0pXSzBwV1YrSjdrUkRWYmhDYUZhNk5nMUZNRWxhTlozVDhhUUtyQgpDUDNDeEFTdjYxWTk5TEI4KzNXWVFIK3NYaTVGM01pYVNBZ1BkQUk3WEh1dXFET1lvMU5PL0JoSGt1aVg2QnRtCnorNTZud2pZMy8yUytSRmNBc3JMTnIwMDJZZi9oY0IraVlDNzVWYmcydVd6WTY3TWdOTGQ5VW9RU3BDRkYrVm4KM0cyUnhybnhBb0dCQU40U3M0ZVlPU2huMVpQQjdhTUZsY0k2RHR2S2ErTGZTTXFyY2pOZjJlSEpZNnhubmxKdgpGenpGL2RiVWVTbWxSekR0WkdlcXZXaHFISy9iTjIyeWJhOU1WMDlRQ0JFTk5jNmtWajJTVHpUWkJVbEx4QzYrCk93Z0wyZHhKendWelU0VC84ajdHalRUN05BZVpFS2FvRHFyRG5BYWkyaW5oZU1JVWZHRXFGKzJyQW9HQkFOMVAKK0tZL0lsS3RWRzRKSklQNzBjUis3RmpyeXJpY05iWCtQVzUvOXFHaWxnY2grZ3l4b25BWlBpd2NpeDN3QVpGdwpaZC96ZFB2aTBkWEppc1BSZjRMazg5b2pCUmpiRmRmc2l5UmJYbyt3TFU4NUhRU2NGMnN5aUFPaTVBRHdVU0FkCm45YWFweUNweEFkREtERHdObit3ZFhtaTZ0OHRpSFRkK3RoVDhkaVpBb0dCQUt6Wis1bG9OOTBtYlF4VVh5YUwKMjFSUm9tMGJjcndsTmVCaWNFSmlzaEhYa2xpSVVxZ3hSZklNM2hhUVRUcklKZENFaHFsV01aV0xPb2I2NTNyZgo3aFlMSXM1ZUtka3o0aFRVdnpldm9TMHVXcm9CV2xOVHlGanIrSWhKZnZUc0hpOGdsU3FkbXgySkJhZUFVWUNXCndNdlQ4NmNLclNyNkQrZG8wS05FZzFsL0FvR0FlMkFVdHVFbFNqLzBmRzgrV3hHc1RFV1JqclRNUzRSUjhRWXQKeXdjdFA4aDZxTGxKUTRCWGxQU05rMXZLTmtOUkxIb2pZT2pCQTViYjhibXNVU1BlV09NNENoaFJ4QnlHbmR2eAphYkJDRkFwY0IvbEg4d1R0alVZYlN5T294ZGt5OEp0ek90ajJhS0FiZHd6NlArWDZDODhjZmxYVFo5MWpYL3RMCjF3TmRKS2tDZ1lCbyt0UzB5TzJ2SWFmK2UwSkN5TGhzVDQ5cTN3Zis2QWVqWGx2WDJ1VnRYejN5QTZnbXo5aCsKcDNlK2JMRUxwb3B0WFhNdUFRR0xhUkcrYlNNcjR5dERYbE5ZSndUeThXczNKY3dlSTdqZVp2b0ZpbmNvVlVIMwphdmxoTUVCRGYxSjltSDB5cDBwWUNaS2ROdHNvZEZtQktzVEtQMjJhTmtsVVhCS3gyZzR6cFE9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= 122 | 123 | 124 | --- 125 | kind: ConfigMap 126 | apiVersion: v1 127 | metadata: 128 | name: nginx-config 129 | namespace: nginx-ingress 130 | data: 131 | 132 | 133 | --- 134 | apiVersion: apps/v1 135 | kind: Deployment 136 | metadata: 137 | name: nginx-ingress 138 | namespace: nginx-ingress 139 | spec: 140 | replicas: 1 141 | selector: 142 | matchLabels: 143 | app: nginx-ingress 144 | template: 145 | metadata: 146 | labels: 147 | app: nginx-ingress 148 | spec: 149 | nodeSelector: 150 | role: ingress-nginx-controller 151 | serviceAccountName: nginx-ingress 152 | containers: 153 | - image: nginx/nginx-ingress:1.7.2 154 | imagePullPolicy: IfNotPresent 155 | name: nginx-ingress 156 | ports: 157 | - name: http 158 | containerPort: 80 159 | hostPort: 80 160 | - name: https 161 | containerPort: 443 162 | hostPort: 443 163 | securityContext: 164 | allowPrivilegeEscalation: true 165 | runAsUser: 101 #nginx 166 | capabilities: 167 | drop: 168 | - ALL 169 | add: 170 | - NET_BIND_SERVICE 171 | env: 172 | - name: POD_NAMESPACE 173 | valueFrom: 174 | fieldRef: 175 | fieldPath: metadata.namespace 176 | - name: POD_NAME 177 | valueFrom: 178 | fieldRef: 179 | fieldPath: metadata.name 180 | args: 181 | - -nginx-configmaps=$(POD_NAMESPACE)/nginx-config 182 | - -default-server-tls-secret=$(POD_NAMESPACE)/default-server-secret 183 | 184 | 185 | 186 | 187 | # mywebsite-ingress.yaml 188 | --- 189 | apiVersion: networking.k8s.io/v1 190 | kind: Ingress 191 | metadata: 192 | name: mywebsite-ingress 193 | spec: 194 | rules: 195 | - host: mywebsite.com 196 | http: 197 | paths: 198 | - path: /demo 199 | pathType: ImplementationSpecific 200 | backend: 201 | service: 202 | name: webapp 203 | port: 204 | number: 8080 205 | 206 | 207 | 208 | # test accessing service through ingress 209 | # curl --resolve mywebsite.com:80:192.168.18.3 http://mywebsite.com/demo/ 210 | 211 | # test accessing service through ingress 212 | # curl -H 'Host:mywebsite.com' http://192.168.18.3/demo/ 213 | -------------------------------------------------------------------------------- /Chapter04/4.6.2 ingress-resource-samples.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: networking.k8s.io/v1 3 | kind: Ingress 4 | metadata: 5 | name: mywebsite-ingress 6 | spec: 7 | rules: 8 | - host: mywebsite.com 9 | http: 10 | paths: 11 | - path: /demo 12 | pathType: ImplementationSpecific 13 | backend: 14 | service: 15 | name: webapp 16 | port: 17 | number: 8080 18 | 19 | 20 | 21 | --- 22 | apiVersion: networking.k8s.io/v1 23 | kind: Ingress 24 | metadata: 25 | name: ingress-resource-backend 26 | spec: 27 | defaultBackend: 28 | resource: 29 | apiGroup: k8s.example.com 30 | kind: StorageBucket 31 | name: static-assets 32 | rules: 33 | - http: 34 | paths: 35 | - path: /icons 36 | pathType: ImplementationSpecific 37 | backend: 38 | resource: 39 | apiGroup: k8s.example.com 40 | kind: StorageBucket 41 | name: icon-assets 42 | 43 | 44 | 45 | --- 46 | apiVersion: networking.k8s.io/v1 47 | kind: Ingress 48 | metadata: 49 | name: ingress-wildcard-host 50 | spec: 51 | rules: 52 | - host: "foo.bar.com" 53 | http: 54 | paths: 55 | - pathType: Prefix 56 | path: "/bar" 57 | backend: 58 | service: 59 | name: service1 60 | port: 61 | number: 80 62 | - host: "*.foo.com" 63 | http: 64 | paths: 65 | - pathType: Prefix 66 | path: "/foo" 67 | backend: 68 | service: 69 | name: service2 70 | port: 71 | number: 80 72 | 73 | 74 | 75 | 76 | # IngressClass 77 | --- 78 | apiVersion: networking.k8s.io/v1 79 | kind: IngressClass 80 | metadata: 81 | name: external-lb 82 | spec: 83 | controller: example.com/ingress-controller 84 | parameters: 85 | apiGroup: k8s.example.com 86 | kind: IngressParameters 87 | name: external-lb 88 | 89 | 90 | --- 91 | apiVersion: networking.k8s.io/v1 92 | kind: Ingress 93 | metadata: 94 | name: example-ingress 95 | spec: 96 | ingressClassName: external-lb 97 | rules: 98 | - host: "*.example.com" 99 | http: 100 | paths: 101 | - path: /example 102 | pathType: Prefix 103 | backend: 104 | service: 105 | name: example-service 106 | port: 107 | number: 80 108 | -------------------------------------------------------------------------------- /Chapter04/4.6.3 ingress-config-sample.yaml: -------------------------------------------------------------------------------- 1 | # single backend service 2 | --- 3 | apiVersion: networking.k8s.io/v1 4 | kind: Ingress 5 | metadata: 6 | name: test-ingress 7 | spec: 8 | defaultBackend: 9 | service: 10 | name: webapp 11 | port: 12 | number: 8080 13 | 14 | 15 | 16 | 17 | # simple fanout 18 | --- 19 | apiVersion: networking.k8s.io/v1 20 | kind: Ingress 21 | metadata: 22 | name: simple-fanout-example 23 | spec: 24 | rules: 25 | - host: mywebsite.com 26 | http: 27 | paths: 28 | - path: /web 29 | pathType: ImplementationSpecific 30 | backend: 31 | service: 32 | name: web-service 33 | port: 34 | number: 8080 35 | - path: /api 36 | pathType: ImplementationSpecific 37 | backend: 38 | service: 39 | name: api-service 40 | port: 41 | number: 8081 42 | 43 | 44 | 45 | # route based on host 46 | --- 47 | apiVersion: networking.k8s.io/v1 48 | kind: Ingress 49 | metadata: 50 | name: name-virtual-host-ingress 51 | spec: 52 | rules: 53 | - host: foo.bar.com 54 | http: 55 | paths: 56 | - pathType: Prefix 57 | path: "/" 58 | backend: 59 | service: 60 | name: service1 61 | port: 62 | number: 80 63 | - host: bar.foo.com 64 | http: 65 | paths: 66 | - pathType: Prefix 67 | path: "/" 68 | backend: 69 | service: 70 | name: service2 71 | port: 72 | number: 80 73 | 74 | 75 | 76 | # not use host 77 | --- 78 | apiVersion: networking.k8s.io/v1 79 | kind: Ingress 80 | metadata: 81 | name: test-ingress 82 | spec: 83 | rules: 84 | - http: 85 | paths: 86 | - path: /demo 87 | pathType: Prefix 88 | backend: 89 | service: 90 | name: webapp 91 | port: 92 | number: 8080 93 | -------------------------------------------------------------------------------- /Chapter04/4.6.4 ingress-tls.yaml: -------------------------------------------------------------------------------- 1 | # mywebsite-ingress-secret.yaml 2 | --- 3 | apiVersion: v1 4 | kind: Secret 5 | metadata: 6 | name: mywebsite-ingress-secret 7 | type: kubernetes.io/tls 8 | data: 9 | tls.crt: MIIDAzCCAeugAwIBAgIJALrTg9VLmFgdMA0GCSqGSIb3DQEBCwUAMBgxFjAUBgNVBAMMDW15d2Vic2l0ZS5jb20wHhcNMTcwNDIzMTMwMjA1WhcNMzAxMjMxMTMwMjA1WjAYMRYwFAYDVQQDDA1teXdlYnNpdGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApL1y1rq1I3EQ5E0PjzW8Lc3heW4WYTykPOisDT9Zgyc+TLPGj/YF4QnAuoIUAUNtXPlmINKuD9Fxzmh6q0oSBVb42BU0RzOTtvaCVOU+uoJ9MgJpd7Bao5higTZMyvj5a1M9iwb7k4xRAsuGCh/jDO8fj6tgJW4WfzawO5w1pDd2fFDxYn34Ma1pg0xFebVaiqBu9FL0JbiEimsV9y7V+g6jjfGffu2xl06X3svqAdfGhvS+uCTArAXiZgS279se1Xp834CG0MJeP7tamD44IfA2wkkmD+uCVjSEcNFsveY5cJevjf0PSE9g5wohSXphd1sIGyjEy2APeIJBP8bQ+wIDAQABo1AwTjAdBgNVHQ4EFgQUjmpxpmdFPKWkr+A2XLF7oqro2GkwHwYDVR0jBBgwFoAUjmpxpmdFPKWkr+A2XLF7oqro2GkwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAAVXPyfagP1AIov3kXRhI3WfyCOIN/sgNSqKM3FuykboSBN6c1w4UhrpF71Hd4nt0myeyX/o69o2Oc9a9dIS2FEGKvfxZQ4sa99iI3qjoMAuuf/Q9fDYIZ+k0YvY4pbcCqqOyICFBCMLlAct/aB0K1GBvC5k06vD4Rn2fOdVMkloW+Zf41cxVIRZe/tQGnZoEhtM6FQADrv1+jM5gjIKRX3s2/Jcxy5g2XLPqtSpzYA0F7FJyuFJXEG+P9X466xPi9ialUri66vkbUVT6uLXGhhunsu6bZ/qwsm2HzdPo4WRQ3z2VhgFzHEzHVVX+CEyZ8fJGoSi7njapHb08lRiztQ== 10 | tls.key: MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCkvXLWurUjcRDkTQ+PNbwtzeF5bhZhPKQ86KwNP1mDJz5Ms8aP9gXhCcC6ghQBQ21c+WYg0q4P0XHOaHqrShIFVvjYFTRHM5O29oJU5T66gn0yAml3sFqjmGKBNkzK+PlrUz2LBvuTjFECy4YKH+MM7x+Pq2AlbhZ/NrA7nDWkN3Z8UPFiffgxrWmDTEV5tVqKoG70UvQluISKaxX3LtX6DqON8Z9+7bGXTpfey+oB18aG9L64JMCsBeJmBLbv2x7VenzfgIbQwl4/u1qYPjgh8DbCSSYP64JWNIRw0Wy95jlwl6+N/Q9IT2DnCiFJemF3WwgbKMTLYA94gkE/xtD7AgMBAAECggEAUftNePq1RgvwYgzPX29YVFsOiAV28bDh8sW/SWBrRU90O2uDtwSx7EmUNbyiA/bwJ8KdRlxR7uFGB3gLA876pNmhQLdcqspKClUmiuUCkIJ7lzWIEt4aXStqae8BzEiWpwhnqhYxgD3l2sQ50jQII9mkFTUtxbLBU1F95kxYjX2XmFTrrvwroDLZEHCPcbY9hNUFhZaCdBBYKADmWo9eV/xZJ97ZAFpbpWyONrFjNwMjjqCmxMx3HwOI/tLbhpvob6RT1UG1QUPlbB8aXR1FeSgt0NYhYwWKF7JSXcYBiyQubtd3T6RBtNjFk4b/zuEUhdFN1lKJLcsVDVQZgMsO4QKBgQDajXAq4hMKPH3CKdieAialj4rVAPyrAFYDMokW+7buZZAgZO1arRtqFWLTtp6hwHqwTySHFyiRsK2Ikfct1H16hRn6FXbiPrFDP8gpYveu31Cd1qqYUYI7xaodWUiLldrteun9sLr3YYR7kaXYRenWZFjZbbUkq3KJfoh+uArPwwKBgQDA95Y4xhcL0F5pE/TLEdj33WjRXMkXMCHXGl3fTnBImoRf7jF9e5fRK/v4YIHaMCOn+6drwMv9KHFL0nvxPbgbECW1F2OfzmNgm6l7jkpcsCQOVtuu1+4gK+B2geQYRA2LhBk+9MtGQFmwSPgwSg+VHUrm28qhzUmTCN1etdpeaQKBgGAFqHSO44Kp1S8Lp6q0kzpGeN7hEiIngaLh/y1j5pmTceFptocSa2sOfl86azPyF3WDMC9SU3a/Q18vkoRGSeMcu68O4y7AEK3VRiI4402nvAm9GTLXDPsp+3XtllwNuSSBznCxx1ONOuH3uf/tp7GUYR0WgHHeCfKy71GNluJ1AoGAKhHQXnBRdfHno2EGbX9mniNXRs3DyZpkxlCpRpYDRNDrKz7y6ziW0LOWK4BezwLPwz/KMGPIFVlL2gv5mY6rJLtQfTqsLZsBb36AZL+Q1sRQGBA3tNa+w6TNOwj2gZPUoCYcmu0jpB1DcHt4II8E9q18NviUJNJsx/GW0Z80DIECgYEAxzQBh/ckRvRaprN0v8w9GRq3wTYYD9y15U+3ecEIZrr1g9bLOi/rktXy3vqL6kj6CFlpwwRVLj8R3u1QPy3MpJNXYR1Bua+/FVn2xKwyYDuXaqs0vW3xLONVO7z44gAKmEQyDq2sir+vpayuY4psfXXK06uifz6ELfVyY6XZvRA= 11 | 12 | 13 | 14 | 15 | # openssl.cnf 16 | [req] 17 | req_extensions = v3_req 18 | distinguished_name = req_distinguished_name 19 | [req_distinguished_name] 20 | [ v3_req ] 21 | basicConstraints = CA:FALSE 22 | keyUsage = nonRepudiation, digitalSignature, keyEncipherment 23 | subjectAltName = @alt_names 24 | [alt_names] 25 | DNS.1 = mywebsite.com 26 | DNS.2 = mywebsite2.com 27 | 28 | 29 | openssl genrsa -out ca.key 2048 30 | 31 | openssl req -x509 -new -nodes -key ca.key -days 5000 -out ca.crt -subj "/CN=mywebsite.com" 32 | 33 | openssl genrsa -out ingress.key 2048 34 | 35 | openssl req -new -key ingress.key -out ingress.csr -subj "/CN=mywebsite.com" -config openssl.cnf 36 | 37 | openssl x509 -req -in ingress.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out ingress.crt -days 5000 -extensions v3_req -extfile openssl.cnf 38 | 39 | 40 | 41 | 42 | # mywebsite-ingress-tls.yaml 43 | --- 44 | apiVersion: networking.k8s.io/v1 45 | kind: Ingress 46 | metadata: 47 | name: mywebsite-ingress-tls 48 | spec: 49 | tls: 50 | - hosts: 51 | - mywebsite.com 52 | secretName: mywebsite-ingress-secret 53 | rules: 54 | - host: mywebsite.com 55 | http: 56 | paths: 57 | - path: /demo 58 | pathType: Prefix 59 | backend: 60 | service: 61 | name: webapp 62 | port: 63 | number: 8080 64 | 65 | 66 | curl -H 'Host:mywebsite.com' -k https://192.168.18.3/demo/ 67 | -------------------------------------------------------------------------------- /Chapter06/6.2.3 rbac.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: Role 4 | metadata: 5 | namespace: default 6 | name: pod-reader 7 | rules: 8 | - apiGroups: [""] 9 | resources: ["pods"] 10 | verbs: ["get", "watch", "list"] 11 | 12 | 13 | --- 14 | apiVersion: rbac.authorization.k8s.io/v1 15 | kind: ClusterRole 16 | metadata: 17 | name: secret-reader 18 | rules: 19 | - apiGroups: [""] 20 | resources: ["secrets"] 21 | verbs: ["get", "watch", "list"] 22 | 23 | 24 | --- 25 | apiVersion: rbac.authorization.k8s.io/v1 26 | kind: RoleBinding 27 | metadata: 28 | name: read-pods 29 | namespace: default 30 | subjects: 31 | - kind: User 32 | name: jane 33 | apiGroup: rbac.authorization.k8s.io 34 | roleRef: 35 | kind: Role 36 | name: pod-reader 37 | apiGroup: rbac.authorization.k8s.io 38 | 39 | 40 | --- 41 | apiVersion: rbac.authorization.k8s.io/v1 42 | kind: RoleBinding 43 | metadata: 44 | name: read-secrets 45 | namespace: development 46 | subjects: 47 | - kind: User 48 | name: dave 49 | apiGroup: rbac.authorization.k8s.io 50 | roleRef: 51 | kind: ClusterRole 52 | name: secret-reader 53 | apiGroup: rbac.authorization.k8s.io 54 | 55 | 56 | --- 57 | apiVersion: rbac.authorization.k8s.io/v1 58 | kind: ClusterRoleBinding 59 | metadata: 60 | name: read-secrets-global 61 | subjects: 62 | - kind: Group 63 | name: manager 64 | apiGroup: rbac.authorization.k8s.io 65 | roleRef: 66 | kind: ClusterRole 67 | name: secret-reader 68 | apiGroup: rbac.authorization.k8s.io 69 | 70 | 71 | 72 | 73 | # resources reference 74 | --- 75 | kind: Role 76 | apiVersion: rbac.authorization.k8s.io/v1 77 | metadata: 78 | namespace: default 79 | name: pod-and-pod-logs-reader 80 | rules: 81 | - apiGroups: [""] 82 | resources: ["pods", "pods/log"] 83 | verbs: ["get", "list"] 84 | 85 | 86 | --- 87 | kind: Role 88 | apiVersion: rbac.authorization.k8s.io/v1 89 | metadata: 90 | namespace: default 91 | name: configmap-updater 92 | rules: 93 | - apiGroups: [""] 94 | resources: ["configmap"] 95 | resourceNames: ["my-configmap"] 96 | verbs: ["update", "get"] 97 | 98 | 99 | 100 | 101 | # aggregationRule 102 | --- 103 | apiVersion: rbac.authorization.k8s.io/v1 104 | kind: ClusterRole 105 | metadata: 106 | name: monitoring 107 | aggregationRule: 108 | clusterRoleSelectors: 109 | - matchLabels: 110 | rbac.example.com/aggregate-to-monitoring: "true" 111 | rules: [] 112 | 113 | 114 | --- 115 | apiVersion: rbac.authorization.k8s.io/v1 116 | kind: ClusterRole 117 | metadata: 118 | name: monitoring-endpoints 119 | labels: 120 | rbac.example.com/aggregate-to-monitoring: "true" 121 | rules: 122 | - apiGroups: [""] 123 | resources: ["services", "endpoints", "pods"] 124 | verbs: ["get", "list", "watch"] 125 | 126 | 127 | --- 128 | kind: ClusterRole 129 | apiVersion: rbac.authorization.k8s.io/v1 130 | metadata: 131 | name: aggregate-cron-tabs-view 132 | labels: 133 | rbac.authorization.k8s.io/aggregate-to-view: "true" 134 | rules: 135 | - apiGroups: ["stable.example.com"] 136 | resources: ["crontabs"] 137 | verbs: ["get", "list", "watch"] 138 | 139 | 140 | 141 | 142 | --- 143 | apiVersion: rbac.authorization.k8s.io/v1 144 | kind: ClusterRole 145 | metadata: 146 | name: role-grantor 147 | rules: 148 | - apiGroups: ["rbac.authorization.k8s.io"] 149 | resources: ["rolebindings"] 150 | verbs: ["create"] 151 | - apiGroups: ["rbac.authorization.k8s.io"] 152 | resources: ["clusterroles"] 153 | verbs: ["bind"] 154 | resourceNames: ["admin","edit","view"] 155 | --- 156 | apiVersion: rbac.authorization.k8s.io/v1 157 | kind: RoleBinding 158 | metadata: 159 | name: role-grantor-binding 160 | namespace: user-1-namespace 161 | roleRef: 162 | apiGroup: rbac.authorization.k8s.io 163 | kind: ClusterRole 164 | name: role-grantor 165 | subjects: 166 | - apiGroup: rbac.authorization.k8s.io 167 | kind: User 168 | name: user-1 169 | -------------------------------------------------------------------------------- /Chapter06/6.5 imagepullsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: myregistrykey 6 | data: 7 | .dockercfg: eyAiaHR0cHM6Ly9pbmRleC5kb2NrZXIuaW8vdjEvIjogeyAiYXV0aCI6ICJab UZyWlhCaGMzTjNiM0prTVRJSyIsICJlbWFpbCI6ICJqZG9lQGV4YW1wbGUuY29tIiB9IH0K 8 | type: kubernetes.io/dockercfg 9 | 10 | --- 11 | apiVersion: v1 12 | kind: Pod 13 | metadata: 14 | name: mypod2 15 | spec: 16 | containers: 17 | - name: foo 18 | image: janedoe/awesomeapp:v1 19 | imagePullSecrets: 20 | - name: myregistrykey 21 | -------------------------------------------------------------------------------- /Chapter06/6.5 secret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: mysecret 6 | type: Opaque 7 | data: 8 | password: dmFsdWUtMg0K 9 | username: dmFsdWUtMQ0K 10 | 11 | --- 12 | apiVersion: v1 13 | kind: Pod 14 | metadata: 15 | name: mypod 16 | namespace: myns 17 | spec: 18 | containers: 19 | - name: mycontainer 20 | image: redis 21 | volumeMounts: 22 | - name: foo 23 | mountPath: "/etc/foo" 24 | readOnly: true 25 | volumes: 26 | - name: foo 27 | secret: 28 | secretName: mysecret 29 | -------------------------------------------------------------------------------- /Chapter06/6.6.1 podsecuritypolicy.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: policy/v1beta1 3 | kind: PodSecurityPolicy 4 | metadata: 5 | name: psp-non-privileged 6 | spec: 7 | privileged: false 8 | seLinux: 9 | rule: RunAsAny 10 | supplementalGroups: 11 | rule: RunAsAny 12 | runAsUser: 13 | rule: RunAsAny 14 | fsGroup: 15 | rule: RunAsAny 16 | volumes: 17 | - '*' 18 | 19 | 20 | # ok to create 21 | --- 22 | apiVersion: v1 23 | kind: Pod 24 | metadata: 25 | name: nginx 26 | spec: 27 | containers: 28 | - name: nginx 29 | image: nginx 30 | 31 | 32 | # forbidden to create 33 | --- 34 | apiVersion: v1 35 | kind: Pod 36 | metadata: 37 | name: nginx 38 | spec: 39 | containers: 40 | - name: nginx 41 | image: nginx 42 | securityContext: 43 | privileged: true 44 | -------------------------------------------------------------------------------- /Chapter06/6.6.2 podsecuritypolicy-config.yaml: -------------------------------------------------------------------------------- 1 | # AllowedHostPaths 2 | --- 3 | apiVersion: policy/v1beta1 4 | kind: PodSecurityPolicy 5 | metadata: 6 | name: allow-hostpath-volumes 7 | spec: 8 | volumes: 9 | - hostPath 10 | allowedHostPaths: 11 | - pathPrefix: "/foo" 12 | readOnly: true 13 | 14 | 15 | # allowedFlexVolumes 16 | --- 17 | apiVersion: policy/v1beta1 18 | kind: PodSecurityPolicy 19 | metadata: 20 | name: allow-flex-volumes 21 | spec: 22 | ...... 23 | volumes: 24 | - flexVolume 25 | allowedFlexVolumes: 26 | - driver: example/lvm 27 | - driver: example/cifs 28 | 29 | 30 | # sysctl 31 | --- 32 | apiVersion: policy/v1beta1 33 | kind: PodSecurityPolicy 34 | metadata: 35 | name: sysctl-psp 36 | spec: 37 | allowedUnsafeSysctls: 38 | - kernel.msg* 39 | forbiddenSysctls: 40 | - kernel.shm_rmid_forced 41 | ...... 42 | -------------------------------------------------------------------------------- /Chapter06/6.6.3 podsecuritypolicy-examples.yaml: -------------------------------------------------------------------------------- 1 | # privileged 2 | --- 3 | apiVersion: policy/v1beta1 4 | kind: PodSecurityPolicy 5 | metadata: 6 | name: privileged 7 | annotations: 8 | seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' 9 | spec: 10 | privileged: true 11 | allowPrivilegeEscalation: true 12 | allowedCapabilities: 13 | - '*' 14 | volumes: 15 | - '*' 16 | hostNetwork: true 17 | hostPorts: 18 | - min: 0 19 | max: 65535 20 | hostIPC: true 21 | hostPID: true 22 | runAsUser: 23 | rule: 'RunAsAny' 24 | seLinux: 25 | rule: 'RunAsAny' 26 | supplementalGroups: 27 | rule: 'RunAsAny' 28 | fsGroup: 29 | rule: 'RunAsAny' 30 | 31 | 32 | 33 | 34 | # restricted 35 | --- 36 | apiVersion: policy/v1beta1 37 | kind: PodSecurityPolicy 38 | metadata: 39 | name: restricted 40 | annotations: 41 | seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default' 42 | apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' 43 | seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' 44 | apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' 45 | spec: 46 | privileged: false 47 | allowPrivilegeEscalation: false 48 | requiredDropCapabilities: 49 | - ALL 50 | volumes: 51 | - 'configMap' 52 | - 'emptyDir' 53 | - 'projected' 54 | - 'secret' 55 | - 'downwardAPI' 56 | - 'persistentVolumeClaim' 57 | hostNetwork: false 58 | hostIPC: false 59 | hostPID: false 60 | runAsUser: 61 | rule: 'MustRunAsNonRoot' 62 | seLinux: 63 | rule: 'RunAsAny' 64 | supplementalGroups: 65 | rule: 'MustRunAs' 66 | ranges: 67 | - min: 1 68 | max: 65535 69 | fsGroup: 70 | rule: 'MustRunAs' 71 | ranges: 72 | - min: 1 73 | max: 65535 74 | readOnlyRootFilesystem: false 75 | 76 | 77 | 78 | 79 | # baseline 80 | --- 81 | apiVersion: policy/v1beta1 82 | kind: PodSecurityPolicy 83 | metadata: 84 | name: baseline 85 | annotations: 86 | apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' 87 | apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' 88 | seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default,unconfined' 89 | seccomp.security.alpha.kubernetes.io/defaultProfileName: 'unconfined' 90 | spec: 91 | privileged: false 92 | allowedCapabilities: 93 | - 'CHOWN' 94 | - 'DAC_OVERRIDE' 95 | - 'FSETID' 96 | - 'FOWNER' 97 | - 'MKNOD' 98 | - 'NET_RAW' 99 | - 'SETGID' 100 | - 'SETUID' 101 | - 'SETFCAP' 102 | - 'SETPCAP' 103 | - 'NET_BIND_SERVICE' 104 | - 'SYS_CHROOT' 105 | - 'KILL' 106 | - 'AUDIT_WRITE' 107 | volumes: 108 | - 'configMap' 109 | - 'emptyDir' 110 | - 'projected' 111 | - 'secret' 112 | - 'downwardAPI' 113 | - 'persistentVolumeClaim' 114 | - 'awsElasticBlockStore' 115 | - 'azureDisk' 116 | - 'azureFile' 117 | - 'cephFS' 118 | - 'cinder' 119 | - 'csi' 120 | - 'fc' 121 | - 'flexVolume' 122 | - 'flocker' 123 | - 'gcePersistentDisk' 124 | - 'gitRepo' 125 | - 'glusterfs' 126 | - 'iscsi' 127 | - 'nfs' 128 | - 'photonPersistentDisk' 129 | - 'portworxVolume' 130 | - 'quobyte' 131 | - 'rbd' 132 | - 'scaleIO' 133 | - 'storageos' 134 | - 'vsphereVolume' 135 | hostNetwork: false 136 | hostIPC: false 137 | hostPID: false 138 | readOnlyRootFilesystem: false 139 | runAsUser: 140 | rule: 'RunAsAny' 141 | seLinux: 142 | rule: 'RunAsAny' 143 | supplementalGroups: 144 | rule: 'RunAsAny' 145 | fsGroup: 146 | rule: 'RunAsAny' 147 | -------------------------------------------------------------------------------- /Chapter06/6.6.4 podsecuritypolicy-rbac.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | kind: ClusterRole 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | metadata: 5 | name: 6 | rules: 7 | - apiGroups: ['policy'] 8 | resources: ['podsecuritypolicies'] 9 | verbs: ['use'] 10 | resourceNames: 11 | - 12 | 13 | 14 | --- 15 | kind: ClusterRoleBinding 16 | apiVersion: rbac.authorization.k8s.io/v1 17 | metadata: 18 | name: 19 | roleRef: 20 | kind: ClusterRole 21 | name: 22 | apiGroup: rbac.authorization.k8s.io 23 | subjects: 24 | - kind: ServiceAccount 25 | name: 26 | namespace: 27 | - kind: User 28 | apiGroup: rbac.authorization.k8s.io 29 | name: 30 | 31 | 32 | --- 33 | kind: RoleBinding 34 | apiVersion: rbac.authorization.k8s.io/v1 35 | metadata: 36 | name: 37 | namespace: 38 | roleRef: 39 | kind: Role 40 | name: 41 | apiGroup: rbac.authorization.k8s.io 42 | subjects: 43 | - kind: Group 44 | apiGroup: rbac.authorization.k8s.io 45 | name: system:serviceaccounts 46 | - kind: Group 47 | apiGroup: rbac.authorization.k8s.io 48 | name: system:authenticated 49 | 50 | 51 | 52 | 53 | # psp-restricted.yaml 54 | --- 55 | apiVersion: policy/v1beta1 56 | kind: PodSecurityPolicy 57 | metadata: 58 | name: restricted 59 | spec: 60 | privileged: false 61 | seLinux: 62 | rule: RunAsAny 63 | supplementalGroups: 64 | rule: RunAsAny 65 | runAsUser: 66 | rule: RunAsAny 67 | fsGroup: 68 | rule: RunAsAny 69 | volumes: 70 | - '*' 71 | 72 | 73 | # forbidden 74 | # pod.yaml 75 | --- 76 | apiVersion: v1 77 | kind: Pod 78 | metadata: 79 | name: nginx 80 | spec: 81 | containers: 82 | - name: nginx 83 | image: nginx 84 | 85 | 86 | 87 | 88 | # psp-restricted-rbac.yaml 89 | --- 90 | kind: Role 91 | apiVersion: rbac.authorization.k8s.io/v1 92 | metadata: 93 | name: psp:unprivileged 94 | namespace: psp-example 95 | rules: 96 | - apiGroups: 97 | - policy 98 | resources: 99 | - podsecuritypolicies 100 | resourceNames: 101 | - restricted 102 | verbs: 103 | - use 104 | 105 | --- 106 | kind: RoleBinding 107 | apiVersion: rbac.authorization.k8s.io/v1 108 | metadata: 109 | name: fake-user:psp:unprivileged 110 | namespace: psp-example 111 | roleRef: 112 | apiGroup: rbac.authorization.k8s.io 113 | kind: Role 114 | name: psp:unprivileged 115 | subjects: 116 | - kind: ServiceAccount 117 | name: fake-user 118 | namespace: psp-example 119 | 120 | 121 | 122 | # ok to create 123 | # pod.yaml 124 | --- 125 | apiVersion: v1 126 | kind: Pod 127 | metadata: 128 | name: nginx 129 | spec: 130 | containers: 131 | - name: nginx 132 | image: nginx 133 | -------------------------------------------------------------------------------- /Chapter06/6.6.5 pod-securitycontext.yaml: -------------------------------------------------------------------------------- 1 | # security-context-demo-1.yaml 2 | --- 3 | apiVersion: v1 4 | kind: Pod 5 | metadata: 6 | name: security-context-demo-1 7 | spec: 8 | securityContext: 9 | runAsUser: 1000 10 | runAsGroup: 3000 11 | fsGroup: 2000 12 | volumes: 13 | - name: sec-ctx-vol 14 | emptyDir: {} 15 | containers: 16 | - name: sec-ctx-demo 17 | image: busybox 18 | command: [ "sh", "-c", "sleep 1h" ] 19 | volumeMounts: 20 | - name: sec-ctx-vol 21 | mountPath: /data/demo 22 | securityContext: 23 | allowPrivilegeEscalation: false 24 | 25 | 26 | 27 | # pod volume policy 28 | --- 29 | apiVersion: v1 30 | kind: Pod 31 | metadata: 32 | name: demo 33 | spec: 34 | securityContext: 35 | runAsUser: 1000 36 | runAsGroup: 3000 37 | fsGroup: 2000 38 | fsGroupChangePolicy: "OnRootMismatch" 39 | containers: 40 | - name: demo 41 | ...... 42 | 43 | 44 | 45 | 46 | # security-context-demo-2.yaml 47 | --- 48 | apiVersion: v1 49 | kind: Pod 50 | metadata: 51 | name: security-context-demo-2 52 | spec: 53 | securityContext: 54 | runAsUser: 1000 55 | containers: 56 | - name: sec-ctx-demo-2 57 | image: busybox 58 | command: [ "sh", "-c", "sleep 1h" ] 59 | securityContext: 60 | runAsUser: 2000 61 | allowPrivilegeEscalation: false 62 | 63 | 64 | 65 | 66 | # security-context-demo-3.yaml 67 | --- 68 | apiVersion: v1 69 | kind: Pod 70 | metadata: 71 | name: security-context-demo-3 72 | spec: 73 | containers: 74 | - name: sec-ctx-3 75 | image: busybox 76 | command: [ "sh", "-c", "sleep 1h" ] 77 | 78 | 79 | 80 | 81 | # security-context-demo-4.yaml 82 | --- 83 | apiVersion: v1 84 | kind: Pod 85 | metadata: 86 | name: security-context-demo-4 87 | spec: 88 | containers: 89 | - name: sec-ctx-4 90 | image: busybox 91 | command: [ "sh", "-c", "sleep 1h" ] 92 | securityContext: 93 | capabilities: 94 | add: ["NET_ADMIN", "SYS_TIME"] 95 | -------------------------------------------------------------------------------- /Chapter07/7.5 pod-service-network.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: ReplicationController 4 | metadata: 5 | name: frontend 6 | labels: 7 | name: frontend 8 | spec: 9 | replicas: 1 10 | selector: 11 | name: frontend 12 | template: 13 | metadata: 14 | labels: 15 | name: frontend 16 | spec: 17 | containers: 18 | - name: php-redis 19 | image: kubeguide/guestbook-php-frontend 20 | env: 21 | - name: GET_HOSTS_FROM 22 | value: env 23 | ports: 24 | - containerPort: 80 25 | hostPort: 80 26 | 27 | --- 28 | apiVersion: v1 29 | kind: Service 30 | metadata: 31 | name: frontend 32 | labels: 33 | name: frontend 34 | spec: 35 | ports: 36 | - port: 80 37 | selector: 38 | name: frontend 39 | -------------------------------------------------------------------------------- /Chapter07/7.6.2 cni-plugin-examples.json: -------------------------------------------------------------------------------- 1 | # bridge 2 | { 3 | "cniVersion": "0.4.0", 4 | "name": "dbnet", 5 | "type": "bridge", 6 | "bridge": "cni0", 7 | "ipam": { 8 | "type": "host-local", 9 | "subnet": "10.1.0.0/16", 10 | "gateway": "10.1.0.1" 11 | }, 12 | "dns": { 13 | "nameservers": [ "10.1.0.1" ] 14 | } 15 | } 16 | 17 | 18 | # ovs 19 | { 20 | "cniVersion": "0.4.0", 21 | "name": "pci", 22 | "type": "ovs", 23 | "bridge": "ovs0", 24 | "vxlanID": 42, 25 | "ipam": { 26 | "type": "dhcp", 27 | "routes": [ { "dst": "10.3.0.0/16" }, { "dst": "10.4.0.0/16" } ] 28 | }, 29 | "args": { 30 | "labels" : { 31 | "appVersion" : "1.0" 32 | } 33 | } 34 | } 35 | 36 | 37 | # macvlan 38 | { 39 | "cniVersion": "0.4.0", 40 | "name": "wan", 41 | "type": "macvlan", 42 | "ipam": { 43 | "type": "dhcp", 44 | "routes": [ { "dst": "10.0.0.0/8", "gw": "10.0.0.1" } ] 45 | }, 46 | "dns": { 47 | "nameservers": [ "10.0.0.1" ] 48 | } 49 | } 50 | 51 | 52 | 53 | # cni network configuration list 54 | { 55 | "cniVersion": "0.4.0", 56 | "name": "dbnet", 57 | "plugins": [ 58 | { 59 | "type": "bridge", 60 | "bridge": "cni0", 61 | "args": { 62 | "labels" : { 63 | "appVersion" : "1.0" 64 | } 65 | }, 66 | "ipam": { 67 | "type": "host-local", 68 | "subnet": "10.1.0.0/16", 69 | "gateway": "10.1.0.1" 70 | }, 71 | "dns": { 72 | "nameservers": [ "10.1.0.1" ] 73 | } 74 | }, 75 | { 76 | "type": "tuning", 77 | "sysctl": { 78 | "net.core.somaxconn": "500" 79 | } 80 | } 81 | ] 82 | } 83 | -------------------------------------------------------------------------------- /Chapter07/7.7.4 cni-calico.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubeguide/K8sDefinitiveGuide-V5-Sourcecode/499b07cafe313cd761a81f59c85cb9641250cf73/Chapter07/7.7.4 cni-calico.yaml -------------------------------------------------------------------------------- /Chapter07/7.8.1 networkpolicy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: test-network-policy 5 | namespace: default 6 | spec: 7 | podSelector: 8 | matchLabels: 9 | role: db 10 | policyTypes: 11 | - Ingress 12 | - Egress 13 | ingress: 14 | - from: 15 | - ipBlock: 16 | cidr: 172.17.0.0/16 17 | except: 18 | - 172.17.1.0/24 19 | - namespaceSelector: 20 | matchLabels: 21 | project: myproject 22 | - podSelector: 23 | matchLabels: 24 | role: frontend 25 | ports: 26 | - protocol: TCP 27 | port: 6379 28 | egress: 29 | - to: 30 | - ipBlock: 31 | cidr: 10.0.0.0/24 32 | ports: 33 | - protocol: TCP 34 | port: 5978 35 | -------------------------------------------------------------------------------- /Chapter07/7.8.3 default-networkpolicy-in-namespace.yaml: -------------------------------------------------------------------------------- 1 | # default deny ingress 2 | --- 3 | apiVersion: networking.k8s.io/v1 4 | kind: NetworkPolicy 5 | metadata: 6 | name: default-deny 7 | spec: 8 | podSelector: {} 9 | policyTypes: 10 | - Ingress 11 | 12 | 13 | # default allow ingress 14 | --- 15 | apiVersion: networking.k8s.io/v1 16 | kind: NetworkPolicy 17 | metadata: 18 | name: allow-all 19 | spec: 20 | podSelector: {} 21 | ingress: 22 | - {} 23 | policyTypes: 24 | - Ingress 25 | 26 | 27 | # default deny egress 28 | --- 29 | apiVersion: networking.k8s.io/v1 30 | kind: NetworkPolicy 31 | metadata: 32 | name: default-deny 33 | spec: 34 | podSelector: {} 35 | policyTypes: 36 | - Egress 37 | 38 | 39 | # default allow egress 40 | --- 41 | apiVersion: networking.k8s.io/v1 42 | kind: NetworkPolicy 43 | metadata: 44 | name: allow-all 45 | spec: 46 | podSelector: {} 47 | egress: 48 | - {} 49 | policyTypes: 50 | - Egress 51 | 52 | 53 | # default deny ingress and egress 54 | --- 55 | apiVersion: networking.k8s.io/v1 56 | kind: NetworkPolicy 57 | metadata: 58 | name: default-deny 59 | spec: 60 | podSelector: {} 61 | policyTypes: 62 | - Ingress 63 | - Egress 64 | -------------------------------------------------------------------------------- /Chapter07/7.8.4 networkpolicy-samples.yaml: -------------------------------------------------------------------------------- 1 | # nginx.yaml 2 | --- 3 | apiVersion: v1 4 | kind: Pod 5 | metadata: 6 | name: nginx 7 | labels: 8 | app: nginx 9 | spec: 10 | containers: 11 | - name: nginx 12 | image: nginx 13 | 14 | 15 | # networkpolicy-allow-nginxclient.yaml 16 | --- 17 | kind: NetworkPolicy 18 | apiVersion: networking.k8s.io/v1 19 | metadata: 20 | name: allow-nginxclient 21 | spec: 22 | podSelector: 23 | matchLabels: 24 | app: nginx 25 | ingress: 26 | - from: 27 | - podSelector: 28 | matchLabels: 29 | role: nginxclient 30 | ports: 31 | - protocol: TCP 32 | port: 80 33 | 34 | 35 | 36 | 37 | # client1.yaml 38 | --- 39 | apiVersion: v1 40 | kind: Pod 41 | metadata: 42 | name: client1 43 | labels: 44 | role: nginxclient 45 | spec: 46 | containers: 47 | - name: client1 48 | image: busybox 49 | command: [ "sleep", "3600" ] 50 | 51 | # client2.yaml 52 | --- 53 | apiVersion: v1 54 | kind: Pod 55 | metadata: 56 | name: client2 57 | spec: 58 | containers: 59 | - name: client2 60 | image: busybox 61 | command: [ "sleep", "3600" ] 62 | -------------------------------------------------------------------------------- /Chapter07/7.9.1 calico-ipv4-ipv6-dual-stack.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | kind: ConfigMap 3 | apiVersion: v1 4 | metadata: 5 | name: calico-config 6 | namespace: kube-system 7 | data: 8 | ...... 9 | cni_network_config: |- 10 | { 11 | "name": "k8s-pod-network", 12 | "cniVersion": "0.3.1", 13 | "plugins": [ 14 | { 15 | ...... 16 | "ipam": { 17 | "type": "calico-ipam", 18 | "assign_ipv4": "true", 19 | "assign_ipv6": "true" 20 | }, 21 | ...... 22 | } 23 | 24 | 25 | 26 | --- 27 | kind: DaemonSet 28 | apiVersion: apps/v1 29 | metadata: 30 | name: calico-node 31 | namespace: kube-system 32 | labels: 33 | k8s-app: calico-node 34 | spec: 35 | ...... 36 | spec: 37 | ...... 38 | containers: 39 | - name: calico-node 40 | image: calico/node:v3.15.1 41 | env: 42 | ...... 43 | - name: IP 44 | value: "autodetect" 45 | - name: IP6 46 | value: "autodetect" 47 | 48 | - name: CALICO_IPV4POOL_CIDR 49 | value: "10.0.0.0/16" 50 | - name: CALICO_IPV6POOL_CIDR 51 | value: "fa00::0/112" 52 | 53 | - name: IP_AUTODETECTION_METHOD 54 | value: "interface=ens.*" 55 | - name: IP6_AUTODETECTION_METHOD 56 | value: "interface=ens.*" 57 | 58 | - name: FELIX_IPV6SUPPORT 59 | value: "true" 60 | ...... 61 | -------------------------------------------------------------------------------- /Chapter07/7.9.2 pod-ip-dual-stack.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: webapp 5 | spec: 6 | replicas: 2 7 | selector: 8 | matchLabels: 9 | app: webapp 10 | template: 11 | metadata: 12 | labels: 13 | app: webapp 14 | spec: 15 | containers: 16 | - name: webapp 17 | image: kubeguide/tomcat-app:v1 18 | ports: 19 | - containerPort: 8080 20 | -------------------------------------------------------------------------------- /Chapter07/7.9.3 service-ip-dual-stack.yaml: -------------------------------------------------------------------------------- 1 | # svc-webapp-ipv4.yaml 2 | --- 3 | apiVersion: v1 4 | kind: Service 5 | metadata: 6 | name: webapp 7 | spec: 8 | ports: 9 | - port: 8080 10 | selector: 11 | app: webapp 12 | 13 | 14 | # svc-webapp-ipv6.yaml 15 | --- 16 | apiVersion: v1 17 | kind: Service 18 | metadata: 19 | name: webapp-ipv6 20 | spec: 21 | ipFamily: IPv6 22 | ports: 23 | - port: 8080 24 | selector: 25 | app: webapp 26 | -------------------------------------------------------------------------------- /Chapter08/8.1.1 inject-volume-into-pod.yaml: -------------------------------------------------------------------------------- 1 | # ConfigMap 2 | --- 3 | apiVersion: v1 4 | kind: ConfigMap 5 | metadata: 6 | name: cm-appconfigfiles 7 | data: 8 | key-serverxml: | 9 | 10 | ...... 11 | key-loggingproperties: "handlers 12 | ...... 13 | = 4host-manager.org.apache.juli.FileHandler\r\n\r\n" 14 | 15 | 16 | --- 17 | apiVersion: v1 18 | kind: Pod 19 | metadata: 20 | name: cm-test-app 21 | spec: 22 | containers: 23 | - name: cm-test-app 24 | image: kubeguide/tomcat-app:v1 25 | ports: 26 | - containerPort: 8080 27 | volumeMounts: 28 | - name: serverxml 29 | mountPath: /configfiles 30 | volumes: 31 | - name: serverxml 32 | configMap: 33 | name: cm-appconfigfiles 34 | items: 35 | - key: key-serverxml 36 | path: server.xml 37 | - key: key-loggingproperties 38 | path: logging.properties 39 | 40 | 41 | 42 | 43 | 44 | # Secret 45 | --- 46 | apiVersion: v1 47 | kind: Secret 48 | metadata: 49 | name: mysecret 50 | type: Opaque 51 | data: 52 | password: dmFsdWUtMg0K 53 | username: dmFsdWUtMQ0K 54 | 55 | 56 | --- 57 | apiVersion: v1 58 | kind: Pod 59 | metadata: 60 | name: mypod 61 | spec: 62 | containers: 63 | - name: mycontainer 64 | image: redis 65 | volumeMounts: 66 | - name: foo 67 | mountPath: "/etc/foo" 68 | volumes: 69 | - name: foo 70 | secret: 71 | secretName: mysecret 72 | 73 | 74 | 75 | 76 | # Downward API 77 | --- 78 | apiVersion: v1 79 | kind: Pod 80 | metadata: 81 | name: kubernetes-downwardapi-volume-example 82 | labels: 83 | zone: us-est-coast 84 | cluster: test-cluster1 85 | rack: rack-22 86 | annotations: 87 | build: two 88 | builder: john-doe 89 | spec: 90 | containers: 91 | - name: client-container 92 | image: busybox 93 | command: ["sh", "-c"] 94 | args: 95 | - while true; do 96 | if [[ -e /etc/podinfo/labels ]]; then 97 | echo -en '\n\n'; cat /etc/podinfo/labels; fi; 98 | if [[ -e /etc/podinfo/annotations ]]; then 99 | echo -en '\n\n'; cat /etc/podinfo/annotations; fi; 100 | sleep 5; 101 | done; 102 | volumeMounts: 103 | - name: podinfo 104 | mountPath: /etc/podinfo 105 | volumes: 106 | - name: podinfo 107 | downwardAPI: 108 | items: 109 | - path: "labels" 110 | fieldRef: 111 | fieldPath: metadata.labels 112 | - path: "annotations" 113 | fieldRef: 114 | fieldPath: metadata.annotations 115 | 116 | 117 | 118 | 119 | # Projected Volume 120 | --- 121 | apiVersion: v1 122 | kind: Pod 123 | metadata: 124 | name: volume-test 125 | spec: 126 | containers: 127 | - name: container-test 128 | image: busybox 129 | volumeMounts: 130 | - name: all-in-one 131 | mountPath: "/projected-volume" 132 | readOnly: true 133 | volumes: 134 | - name: all-in-one 135 | projected: 136 | sources: 137 | - secret: 138 | name: mysecret 139 | items: 140 | - key: username 141 | path: my-group/my-username 142 | - downwardAPI: 143 | items: 144 | - path: "labels" 145 | fieldRef: 146 | fieldPath: metadata.labels 147 | - path: "cpu_limit" 148 | resourceFieldRef: 149 | containerName: container-test 150 | resource: limits.cpu 151 | - configMap: 152 | name: myconfigmap 153 | items: 154 | - key: config 155 | path: my-group/my-config 156 | 157 | 158 | --- 159 | apiVersion: v1 160 | kind: Pod 161 | metadata: 162 | name: volume-test 163 | spec: 164 | containers: 165 | - name: container-test 166 | image: busybox 167 | volumeMounts: 168 | - name: all-in-one 169 | mountPath: "/projected-volume" 170 | readOnly: true 171 | volumes: 172 | - name: all-in-one 173 | projected: 174 | sources: 175 | - secret: 176 | name: mysecret 177 | items: 178 | - key: username 179 | path: my-group/my-username 180 | - secret: 181 | name: mysecret2 182 | items: 183 | - key: password 184 | path: my-group/my-password 185 | mode: 511 186 | 187 | 188 | --- 189 | apiVersion: v1 190 | kind: Pod 191 | metadata: 192 | name: sa-token-test 193 | spec: 194 | containers: 195 | - name: container-test 196 | image: busybox 197 | volumeMounts: 198 | - name: token-vol 199 | mountPath: "/service-account" 200 | readOnly: true 201 | volumes: 202 | - name: token-vol 203 | projected: 204 | sources: 205 | - serviceAccountToken: 206 | audience: api 207 | expirationSeconds: 3600 208 | path: token 209 | -------------------------------------------------------------------------------- /Chapter08/8.1.2 node-volume.yaml: -------------------------------------------------------------------------------- 1 | # EmptyDir 2 | --- 3 | apiVersion: v1 4 | kind: Pod 5 | metadata: 6 | name: test-pod 7 | spec: 8 | containers: 9 | - image: busybox 10 | name: test-container 11 | volumeMounts: 12 | - mountPath: /cache 13 | name: cache-volume 14 | volumes: 15 | - name: cache-volume 16 | emptyDir: {} 17 | 18 | 19 | 20 | 21 | # HostPath 22 | --- 23 | apiVersion: v1 24 | kind: Pod 25 | metadata: 26 | name: test-pod 27 | spec: 28 | containers: 29 | - image: busybox 30 | name: test-container 31 | volumeMounts: 32 | - mountPath: /host-data 33 | name: test-volume 34 | volumes: 35 | - name: test-volume 36 | hostPath: 37 | path: /data 38 | type: Directory 39 | 40 | 41 | --- 42 | apiVersion: v1 43 | kind: Pod 44 | metadata: 45 | name: test-webserver 46 | spec: 47 | containers: 48 | - name: test-webserver 49 | image: k8s.gcr.io/test-webserver:latest 50 | volumeMounts: 51 | - mountPath: /var/local/aaa 52 | name: mydir 53 | - mountPath: /var/local/aaa/1.txt 54 | name: myfile 55 | volumes: 56 | - name: mydir 57 | hostPath: 58 | path: /var/local/aaa 59 | type: DirectoryOrCreate 60 | - name: myfile 61 | hostPath: 62 | path: /var/local/aaa/1.txt 63 | type: FileOrCreate 64 | -------------------------------------------------------------------------------- /Chapter08/8.2.2 pv.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolume 4 | metadata: 5 | name: pv1 6 | spec: 7 | capacity: 8 | storage: 5Gi 9 | volumeMode: Filesystem 10 | accessModes: 11 | - ReadWriteOnce 12 | persistentVolumeReclaimPolicy: Recycle 13 | storageClassName: slow 14 | mountOptions: 15 | - hard 16 | - nfsvers=4.1 17 | nfs: 18 | path: /tmp 19 | server: 172.17.0.2 20 | 21 | 22 | 23 | 24 | # block pv 25 | --- 26 | apiVersion: v1 27 | kind: PersistentVolume 28 | metadata: 29 | name: block-pv 30 | spec: 31 | capacity: 32 | storage: 10Gi 33 | accessModes: 34 | - ReadWriteOnce 35 | persistentVolumeReclaimPolicy: Retain 36 | volumeMode: Block 37 | fc: 38 | targetWWNs: ["50060e801049cfd1"] 39 | lun: 0 40 | readOnly: false 41 | 42 | 43 | 44 | 45 | # Mount Options 46 | --- 47 | apiVersion: "v1" 48 | kind: "PersistentVolume" 49 | metadata: 50 | name: gce-disk-1 51 | spec: 52 | capacity: 53 | storage: "10Gi" 54 | accessModes: 55 | - "ReadWriteOnce" 56 | mountOptions: 57 | - hard 58 | - nolock 59 | - nfsvers=3 60 | gcePersistentDisk: 61 | fsType: "ext4" 62 | pdName: "gce-disk-1" 63 | 64 | 65 | 66 | 67 | # Node Affinity 68 | --- 69 | apiVersion: v1 70 | kind: PersistentVolume 71 | metadata: 72 | name: example-local-pv 73 | spec: 74 | capacity: 75 | storage: 5Gi 76 | accessModes: 77 | - ReadWriteOnce 78 | persistentVolumeReclaimPolicy: Delete 79 | storageClassName: local-storage 80 | local: 81 | path: /mnt/disks/ssd1 82 | nodeAffinity: 83 | required: 84 | nodeSelectorTerms: 85 | - matchExpressions: 86 | - key: kubernetes.io/hostname 87 | operator: In 88 | values: 89 | - my-node 90 | -------------------------------------------------------------------------------- /Chapter08/8.2.3 pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: myclaim 6 | spec: 7 | accessModes: 8 | - ReadWriteOnce 9 | volumeMode: Filesystem 10 | resources: 11 | requests: 12 | storage: 8Gi 13 | storageClassName: slow 14 | selector: 15 | matchLabels: 16 | release: "stable" 17 | matchExpressions: 18 | - {key: environment, operator: In, values: [dev]} 19 | -------------------------------------------------------------------------------- /Chapter08/8.2.4 pod-use-pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Pod 4 | metadata: 5 | name: mypod 6 | spec: 7 | containers: 8 | - name: myfrontend 9 | image: nginx 10 | volumeMounts: 11 | - mountPath: "/var/www/html" 12 | name: mypd 13 | volumes: 14 | - name: mypd 15 | persistentVolumeClaim: 16 | claimName: myclaim 17 | 18 | 19 | 20 | 21 | # use block pvc 22 | --- 23 | apiVersion: v1 24 | kind: PersistentVolume 25 | metadata: 26 | name: block-pv 27 | spec: 28 | capacity: 29 | storage: 10Gi 30 | accessModes: 31 | - ReadWriteOnce 32 | volumeMode: Block 33 | persistentVolumeReclaimPolicy: Retain 34 | fc: 35 | targetWWNs: ["50060e801049cfd1"] 36 | lun: 0 37 | readOnly: false 38 | 39 | 40 | --- 41 | apiVersion: v1 42 | kind: PersistentVolumeClaim 43 | metadata: 44 | name: block-pvc 45 | spec: 46 | accessModes: 47 | - ReadWriteOnce 48 | volumeMode: Block 49 | resources: 50 | requests: 51 | storage: 10Gi 52 | 53 | 54 | --- 55 | apiVersion: v1 56 | kind: Pod 57 | metadata: 58 | name: pod-with-block-volume 59 | spec: 60 | containers: 61 | - name: fc-container 62 | image: fedora:26 63 | command: ["/bin/sh", "-c"] 64 | args: [ "tail -f /dev/null" ] 65 | volumeDevices: 66 | - name: data 67 | devicePath: /dev/xvda 68 | volumes: 69 | - name: data 70 | persistentVolumeClaim: 71 | claimName: block-pvc 72 | 73 | 74 | 75 | 76 | # 2 containers share 1 volume 77 | --- 78 | apiVersion: v1 79 | kind: Pod 80 | metadata: 81 | name: mysql 82 | spec: 83 | containers: 84 | - name: mysql 85 | image: mysql 86 | env: 87 | - name: MYSQL_ROOT_PASSWORD 88 | value: "rootpasswd" 89 | volumeMounts: 90 | - mountPath: /var/lib/mysql 91 | name: site-data 92 | subPath: mysql 93 | - name: php 94 | image: php:7.0-apache 95 | volumeMounts: 96 | - mountPath: /var/www/html 97 | name: site-data 98 | subPath: html 99 | volumes: 100 | - name: site-data 101 | persistentVolumeClaim: 102 | claimName: site-data-pvc 103 | 104 | 105 | --- 106 | apiVersion: v1 107 | kind: Pod 108 | metadata: 109 | name: pod1 110 | spec: 111 | containers: 112 | - name: container1 113 | env: 114 | - name: POD_NAME 115 | valueFrom: 116 | fieldRef: 117 | apiVersion: v1 118 | fieldPath: metadata.name 119 | image: busybox 120 | command: [ "sh", "-c", "while [ true ]; do echo 'Hello'; sleep 10; done | tee -a /logs/hello.txt" ] 121 | volumeMounts: 122 | - name: workdir1 123 | mountPath: /logs 124 | subPathExpr: $(POD_NAME) 125 | restartPolicy: Never 126 | volumes: 127 | - name: workdir1 128 | hostPath: 129 | path: /var/log/pods 130 | -------------------------------------------------------------------------------- /Chapter08/8.2.5 storage-class.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: storage.k8s.io/v1 3 | kind: StorageClass 4 | metadata: 5 | name: standard 6 | provisioner: kubernetes.io/aws-ebs 7 | parameters: 8 | type: gp2 9 | reclaimPolicy: Retain 10 | allowVolumeExpansion: true 11 | mountOptions: 12 | - debug 13 | volumeBindingMode: Immediate 14 | 15 | 16 | 17 | 18 | # Volume Binding Mode 19 | --- 20 | apiVersion: storage.k8s.io/v1 21 | kind: StorageClass 22 | metadata: 23 | name: standard 24 | provisioner: kubernetes.io/gce-pd 25 | parameters: 26 | type: pd-standard 27 | volumeBindingMode: WaitForFirstConsumer 28 | allowedTopologies: 29 | - matchLabelExpressions: 30 | - key: failure-domain.beta.kubernetes.io/zone 31 | values: 32 | - us-central1-a 33 | - us-central1-b 34 | 35 | 36 | 37 | 38 | # Parameters 39 | --- 40 | kind: StorageClass 41 | apiVersion: storage.k8s.io/v1 42 | metadata: 43 | name: slow 44 | provisioner: kubernetes.io/aws-ebs 45 | parameters: 46 | type: io1 47 | iopsPerGB: "10" 48 | fsType: ext4 49 | 50 | 51 | --- 52 | kind: StorageClass 53 | apiVersion: storage.k8s.io/v1 54 | metadata: 55 | name: slow 56 | provisioner: kubernetes.io/gce-pd 57 | parameters: 58 | type: pd-standard 59 | fstype: ext4 60 | replication-type: none 61 | 62 | 63 | --- 64 | apiVersion: storage.k8s.io/v1 65 | kind: StorageClass 66 | metadata: 67 | name: slow 68 | provisioner: kubernetes.io/glusterfs 69 | parameters: 70 | resturl: "http://127.0.0.1:8081" 71 | clusterid: "630372ccdc720a92c681fb928f27b53f" 72 | restauthenabled: "true" 73 | restuser: "admin" 74 | secretNamespace: "default" 75 | secretName: "heketi-secret" 76 | gidMin: "40000" 77 | gidMax: "50000" 78 | volumetype: "replicate:3" 79 | 80 | 81 | --- 82 | apiVersion: storage.k8s.io/v1 83 | kind: StorageClass 84 | metadata: 85 | name: local-storage 86 | provisioner: kubernetes.io/no-provisioner 87 | volumeBindingMode: WaitForFirstConsumer 88 | 89 | 90 | 91 | 92 | 93 | # default storageclass 94 | --- 95 | kind: StorageClass 96 | apiVersion: storage.k8s.io/v1 97 | metadata: 98 | name: gold 99 | annotations: 100 | storageclass.beta.kubernetes.io/is-default-class="true" 101 | provisioner: kubernetes.io/gce-pd 102 | parameters: 103 | type: pd-ssd 104 | -------------------------------------------------------------------------------- /Chapter08/8.3 glusterfs-practice.yaml: -------------------------------------------------------------------------------- 1 | # glusterfs 2 | --- 3 | apiVersion: apps/v1 4 | kind: DaemonSet 5 | metadata: 6 | name: glusterfs 7 | labels: 8 | glusterfs: daemonset 9 | annotations: 10 | description: GlusterFS DaemonSet 11 | tags: glusterfs 12 | spec: 13 | template: 14 | metadata: 15 | name: glusterfs 16 | labels: 17 | glusterfs-node: pod 18 | spec: 19 | nodeSelector: 20 | storagenode: glusterfs 21 | hostNetwork: true 22 | containers: 23 | - image: gluster/gluster-centos:latest 24 | name: glusterfs 25 | volumeMounts: 26 | - name: glusterfs-heketi 27 | mountPath: "/var/lib/heketi" 28 | - name: glusterfs-run 29 | mountPath: "/run" 30 | - name: glusterfs-lvm 31 | mountPath: "/run/lvm" 32 | - name: glusterfs-etc 33 | mountPath: "/etc/glusterfs" 34 | - name: glusterfs-logs 35 | mountPath: "/var/log/glusterfs" 36 | - name: glusterfs-config 37 | mountPath: "/var/lib/glusterd" 38 | - name: glusterfs-dev 39 | mountPath: "/dev" 40 | - name: glusterfs-misc 41 | mountPath: "/var/lib/misc/glusterfsd" 42 | - name: glusterfs-cgroup 43 | mountPath: "/sys/fs/cgroup" 44 | readOnly: true 45 | - name: glusterfs-ssl 46 | mountPath: "/etc/ssl" 47 | readOnly: true 48 | securityContext: 49 | capabilities: {} 50 | privileged: true 51 | readinessProbe: 52 | timeoutSeconds: 3 53 | initialDelaySeconds: 60 54 | exec: 55 | command: 56 | - "/bin/bash" 57 | - "-c" 58 | - systemctl status glusterd.service 59 | livenessProbe: 60 | timeoutSeconds: 3 61 | initialDelaySeconds: 60 62 | exec: 63 | command: 64 | - "/bin/bash" 65 | - "-c" 66 | - systemctl status glusterd.service 67 | volumes: 68 | - name: glusterfs-heketi 69 | hostPath: 70 | path: "/var/lib/heketi" 71 | - name: glusterfs-run 72 | - name: glusterfs-lvm 73 | hostPath: 74 | path: "/run/lvm" 75 | - name: glusterfs-etc 76 | hostPath: 77 | path: "/etc/glusterfs" 78 | - name: glusterfs-logs 79 | hostPath: 80 | path: "/var/log/glusterfs" 81 | - name: glusterfs-config 82 | hostPath: 83 | path: "/var/lib/glusterd" 84 | - name: glusterfs-dev 85 | hostPath: 86 | path: "/dev" 87 | - name: glusterfs-misc 88 | hostPath: 89 | path: "/var/lib/misc/glusterfsd" 90 | - name: glusterfs-cgroup 91 | hostPath: 92 | path: "/sys/fs/cgroup" 93 | - name: glusterfs-ssl 94 | hostPath: 95 | path: "/etc/ssl" 96 | 97 | 98 | 99 | 100 | # heketi 101 | --- 102 | apiVersion: v1 103 | kind: ServiceAccount 104 | metadata: 105 | name: heketi-service-account 106 | 107 | --- 108 | apiVersion: rbac.authorization.k8s.io/v1 109 | kind: Role 110 | metadata: 111 | name: heketi 112 | rules: 113 | - apiGroups: 114 | - "" 115 | resources: 116 | - endpoints 117 | - services 118 | - pods 119 | verbs: 120 | - get 121 | - list 122 | - watch 123 | - apiGroups: 124 | - "" 125 | resources: 126 | - pods/exec 127 | verbs: 128 | - create 129 | 130 | --- 131 | apiVersion: rbac.authorization.k8s.io/v1 132 | kind: RoleBinding 133 | metadata: 134 | name: heketi 135 | roleRef: 136 | apiGroup: rbac.authorization.k8s.io 137 | kind: Role 138 | name: heketi 139 | subjects: 140 | - kind: ServiceAccount 141 | name: heketi-service-account 142 | namespace: default 143 | 144 | 145 | 146 | --- 147 | apiVersion: apps/v1 148 | kind: Deployment 149 | metadata: 150 | name: heketi 151 | labels: 152 | glusterfs: heketi-deployment 153 | deploy-heketi: heketi-deployment 154 | annotations: 155 | description: Defines how to deploy Heketi 156 | spec: 157 | replicas: 1 158 | selector: 159 | matchLabels: 160 | name: deploy-heketi 161 | glusterfs: heketi-pod 162 | template: 163 | metadata: 164 | name: deploy-heketi 165 | labels: 166 | name: deploy-heketi 167 | glusterfs: heketi-pod 168 | spec: 169 | serviceAccountName: heketi-service-account 170 | containers: 171 | - image: heketi/heketi 172 | name: deploy-heketi 173 | env: 174 | - name: HEKETI_EXECUTOR 175 | value: kubernetes 176 | - name: HEKETI_FSTAB 177 | value: "/var/lib/heketi/fstab" 178 | - name: HEKETI_SNAPSHOT_LIMIT 179 | value: '14' 180 | - name: HEKETI_KUBE_GLUSTER_DAEMONSET 181 | value: "y" 182 | ports: 183 | - containerPort: 8080 184 | volumeMounts: 185 | - name: db 186 | mountPath: "/var/lib/heketi" 187 | readinessProbe: 188 | timeoutSeconds: 3 189 | initialDelaySeconds: 3 190 | httpGet: 191 | path: "/hello" 192 | port: 8080 193 | livenessProbe: 194 | timeoutSeconds: 3 195 | initialDelaySeconds: 30 196 | httpGet: 197 | path: "/hello" 198 | port: 8080 199 | volumes: 200 | - name: db 201 | hostPath: 202 | path: "/heketi-data" 203 | 204 | --- 205 | kind: Service 206 | apiVersion: v1 207 | metadata: 208 | name: heketi 209 | labels: 210 | glusterfs: heketi-service 211 | deploy-heketi: support 212 | annotations: 213 | description: Exposes Heketi Service 214 | spec: 215 | selector: 216 | name: deploy-heketi 217 | ports: 218 | - name: deploy-heketi 219 | port: 8080 220 | targetPort: 8080 221 | 222 | 223 | 224 | 225 | # topology.json 226 | { 227 | "clusters": [ 228 | { 229 | "nodes": [ 230 | { 231 | "node": { 232 | "hostnames": { 233 | "manage": [ 234 | "k8s-node-1" 235 | ], 236 | "storage": [ 237 | "192.168.18.3" 238 | ] 239 | }, 240 | "zone": 1 241 | }, 242 | "devices": [ 243 | "/dev/sdb" 244 | ] 245 | }, 246 | { 247 | "node": { 248 | "hostnames": { 249 | "manage": [ 250 | "k8s-node-2" 251 | ], 252 | "storage": [ 253 | "192.168.18.4" 254 | ] 255 | }, 256 | "zone": 1 257 | }, 258 | "devices": [ 259 | "/dev/sdb" 260 | ] 261 | }, 262 | { 263 | "node": { 264 | "hostnames": { 265 | "manage": [ 266 | "k8s-node-3" 267 | ], 268 | "storage": [ 269 | "192.168.18.5" 270 | ] 271 | }, 272 | "zone": 1 273 | }, 274 | "devices": [ 275 | "/dev/sdb" 276 | ] 277 | } 278 | ] 279 | } 280 | ] 281 | } 282 | 283 | 284 | 285 | export HEKETI_CLI_SERVER=http://localhost:8080 286 | 287 | heketi-cli topology load --json=topology.json 288 | 289 | 290 | 291 | 292 | # StorageClass 293 | --- 294 | apiVersion: storage.k8s.io/v1 295 | kind: StorageClass 296 | metadata: 297 | name: gluster-heketi 298 | provisioner: kubernetes.io/glusterfs 299 | parameters: 300 | resturl: "http://172.17.2.2:8080" 301 | restauthenabled: "false" 302 | 303 | 304 | 305 | 306 | # pvc-gluster-heketi.yaml 307 | --- 308 | apiVersion: v1 309 | kind: PersistentVolumeClaim 310 | metadata: 311 | name: pvc-gluster-heketi 312 | spec: 313 | storageClassName: gluster-heketi 314 | accessModes: 315 | - ReadWriteOnce 316 | resources: 317 | requests: 318 | storage: 1Gi 319 | 320 | 321 | 322 | 323 | # pod-use-pvc.yaml 324 | --- 325 | apiVersion: v1 326 | kind: Pod 327 | metadata: 328 | name: pod-use-pvc 329 | spec: 330 | containers: 331 | - name: pod-use-pvc 332 | image: busybox 333 | command: 334 | - sleep 335 | - "3600" 336 | volumeMounts: 337 | - name: gluster-volume 338 | mountPath: "/pv-data" 339 | readOnly: false 340 | volumes: 341 | - name: gluster-volume 342 | persistentVolumeClaim: 343 | claimName: pvc-gluster-heketi 344 | -------------------------------------------------------------------------------- /Chapter08/8.4.3 csi.yaml: -------------------------------------------------------------------------------- 1 | # csidriver.yaml 2 | --- 3 | apiVersion: apiextensions.k8s.io/v1beta1 4 | kind: CustomResourceDefinition 5 | metadata: 6 | name: csidrivers.csi.storage.k8s.io 7 | labels: 8 | addonmanager.kubernetes.io/mode: Reconcile 9 | spec: 10 | group: csi.storage.k8s.io 11 | names: 12 | kind: CSIDriver 13 | plural: csidrivers 14 | scope: Cluster 15 | validation: 16 | openAPIV3Schema: 17 | properties: 18 | spec: 19 | description: Specification of the CSI Driver. 20 | properties: 21 | attachRequired: 22 | description: Indicates this CSI volume driver requires an attach operation,and that Kubernetes should call attach and wait for any attach operationto complete before proceeding to mount. 23 | type: boolean 24 | podInfoOnMountVersion: 25 | description: Indicates this CSI volume driver requires additional pod 26 | information (like podName, podUID, etc.) during mount operations. 27 | type: string 28 | version: v1alpha1 29 | 30 | 31 | 32 | 33 | # csinodeinfo.yaml 34 | --- 35 | apiVersion: apiextensions.k8s.io/v1beta1 36 | kind: CustomResourceDefinition 37 | metadata: 38 | name: csinodeinfos.csi.storage.k8s.io 39 | labels: 40 | addonmanager.kubernetes.io/mode: Reconcile 41 | spec: 42 | group: csi.storage.k8s.io 43 | names: 44 | kind: CSINodeInfo 45 | plural: csinodeinfos 46 | scope: Cluster 47 | validation: 48 | openAPIV3Schema: 49 | properties: 50 | spec: 51 | description: Specification of CSINodeInfo 52 | properties: 53 | drivers: 54 | description: List of CSI drivers running on the node and their specs. 55 | type: array 56 | items: 57 | properties: 58 | name: 59 | description: The CSI driver that this object refers to. 60 | type: string 61 | nodeID: 62 | description: The node from the driver point of view. 63 | type: string 64 | topologyKeys: 65 | description: List of keys supported by the driver. 66 | items: 67 | type: string 68 | type: array 69 | status: 70 | description: Status of CSINodeInfo 71 | properties: 72 | drivers: 73 | description: List of CSI drivers running on the node and their statuses. 74 | type: array 75 | items: 76 | properties: 77 | name: 78 | description: The CSI driver that this object refers to. 79 | type: string 80 | available: 81 | description: Whether the CSI driver is installed. 82 | type: boolean 83 | volumePluginMechanism: 84 | description: Indicates to external components the required mechanism 85 | to use for any in-tree plugins replaced by this driver. 86 | pattern: in-tree|csi 87 | type: string 88 | version: v1alpha1 89 | 90 | 91 | 92 | 93 | 94 | # csi-hostpath-attacher.yaml 95 | --- 96 | apiVersion: v1 97 | kind: ServiceAccount 98 | metadata: 99 | name: csi-attacher 100 | namespace: default 101 | --- 102 | kind: ClusterRole 103 | apiVersion: rbac.authorization.k8s.io/v1 104 | metadata: 105 | name: external-attacher-runner 106 | rules: 107 | - apiGroups: [""] 108 | resources: ["persistentvolumes"] 109 | verbs: ["get", "list", "watch", "update"] 110 | - apiGroups: [""] 111 | resources: ["nodes"] 112 | verbs: ["get", "list", "watch"] 113 | - apiGroups: ["csi.storage.k8s.io"] 114 | resources: ["csinodeinfos"] 115 | verbs: ["get", "list", "watch"] 116 | - apiGroups: ["storage.k8s.io"] 117 | resources: ["volumeattachments"] 118 | verbs: ["get", "list", "watch", "update"] 119 | --- 120 | kind: ClusterRoleBinding 121 | apiVersion: rbac.authorization.k8s.io/v1 122 | metadata: 123 | name: csi-attacher-role 124 | subjects: 125 | - kind: ServiceAccount 126 | name: csi-attacher 127 | namespace: default 128 | roleRef: 129 | kind: ClusterRole 130 | name: external-attacher-runner 131 | apiGroup: rbac.authorization.k8s.io 132 | --- 133 | kind: Role 134 | apiVersion: rbac.authorization.k8s.io/v1 135 | metadata: 136 | namespace: default 137 | name: external-attacher-cfg 138 | rules: 139 | - apiGroups: [""] 140 | resources: ["configmaps"] 141 | verbs: ["get", "watch", "list", "delete", "update", "create"] 142 | --- 143 | kind: RoleBinding 144 | apiVersion: rbac.authorization.k8s.io/v1 145 | metadata: 146 | name: csi-attacher-role-cfg 147 | namespace: default 148 | subjects: 149 | - kind: ServiceAccount 150 | name: csi-attacher 151 | namespace: default 152 | roleRef: 153 | kind: Role 154 | name: external-attacher-cfg 155 | apiGroup: rbac.authorization.k8s.io 156 | 157 | --- 158 | kind: Service 159 | apiVersion: v1 160 | metadata: 161 | name: csi-hostpath-attacher 162 | labels: 163 | app: csi-hostpath-attacher 164 | spec: 165 | selector: 166 | app: csi-hostpath-attacher 167 | ports: 168 | - name: dummy 169 | port: 12345 170 | --- 171 | kind: StatefulSet 172 | apiVersion: apps/v1 173 | metadata: 174 | name: csi-hostpath-attacher 175 | spec: 176 | serviceName: "csi-hostpath-attacher" 177 | replicas: 1 178 | selector: 179 | matchLabels: 180 | app: csi-hostpath-attacher 181 | template: 182 | metadata: 183 | labels: 184 | app: csi-hostpath-attacher 185 | spec: 186 | serviceAccountName: csi-attacher 187 | containers: 188 | - name: csi-attacher 189 | image: quay.io/k8scsi/csi-attacher:v1.0.1 190 | imagePullPolicy: IfNotPresent 191 | args: 192 | - --v=5 193 | - --csi-address=$(ADDRESS) 194 | env: 195 | - name: ADDRESS 196 | value: /csi/csi.sock 197 | volumeMounts: 198 | - mountPath: /csi 199 | name: socket-dir 200 | volumes: 201 | - hostPath: 202 | path: /var/lib/kubelet/plugins/csi-hostpath 203 | type: DirectoryOrCreate 204 | name: socket-dir 205 | 206 | 207 | # csi-hostpath-provisioner.yaml 208 | --- 209 | apiVersion: v1 210 | kind: ServiceAccount 211 | metadata: 212 | name: csi-provisioner 213 | namespace: default 214 | --- 215 | kind: ClusterRole 216 | apiVersion: rbac.authorization.k8s.io/v1 217 | metadata: 218 | name: external-provisioner-runner 219 | rules: 220 | - apiGroups: [""] 221 | resources: ["secrets"] 222 | verbs: ["get", "list"] 223 | - apiGroups: [""] 224 | resources: ["persistentvolumes"] 225 | verbs: ["get", "list", "watch", "create", "delete"] 226 | - apiGroups: [""] 227 | resources: ["persistentvolumeclaims"] 228 | verbs: ["get", "list", "watch", "update"] 229 | - apiGroups: ["storage.k8s.io"] 230 | resources: ["storageclasses"] 231 | verbs: ["get", "list", "watch"] 232 | - apiGroups: [""] 233 | resources: ["events"] 234 | verbs: ["list", "watch", "create", "update", "patch"] 235 | - apiGroups: ["snapshot.storage.k8s.io"] 236 | resources: ["volumesnapshots"] 237 | verbs: ["get", "list"] 238 | - apiGroups: ["snapshot.storage.k8s.io"] 239 | resources: ["volumesnapshotcontents"] 240 | verbs: ["get", "list"] 241 | - apiGroups: ["csi.storage.k8s.io"] 242 | resources: ["csinodeinfos"] 243 | verbs: ["get", "list", "watch"] 244 | - apiGroups: [""] 245 | resources: ["nodes"] 246 | verbs: ["get", "list", "watch"] 247 | --- 248 | kind: ClusterRoleBinding 249 | apiVersion: rbac.authorization.k8s.io/v1 250 | metadata: 251 | name: csi-provisioner-role 252 | subjects: 253 | - kind: ServiceAccount 254 | name: csi-provisioner 255 | namespace: default 256 | roleRef: 257 | kind: ClusterRole 258 | name: external-provisioner-runner 259 | apiGroup: rbac.authorization.k8s.io 260 | --- 261 | kind: Role 262 | apiVersion: rbac.authorization.k8s.io/v1 263 | metadata: 264 | namespace: default 265 | name: external-provisioner-cfg 266 | rules: 267 | - apiGroups: [""] 268 | resources: ["endpoints"] 269 | verbs: ["get", "watch", "list", "delete", "update", "create"] 270 | --- 271 | kind: RoleBinding 272 | apiVersion: rbac.authorization.k8s.io/v1 273 | metadata: 274 | name: csi-provisioner-role-cfg 275 | namespace: default 276 | subjects: 277 | - kind: ServiceAccount 278 | name: csi-provisioner 279 | namespace: default 280 | roleRef: 281 | kind: Role 282 | name: external-provisioner-cfg 283 | apiGroup: rbac.authorization.k8s.io 284 | 285 | --- 286 | kind: Service 287 | apiVersion: v1 288 | metadata: 289 | name: csi-hostpath-provisioner 290 | labels: 291 | app: csi-hostpath-provisioner 292 | spec: 293 | selector: 294 | app: csi-hostpath-provisioner 295 | ports: 296 | - name: dummy 297 | port: 12345 298 | --- 299 | kind: StatefulSet 300 | apiVersion: apps/v1 301 | metadata: 302 | name: csi-hostpath-provisioner 303 | spec: 304 | serviceName: "csi-hostpath-provisioner" 305 | replicas: 1 306 | selector: 307 | matchLabels: 308 | app: csi-hostpath-provisioner 309 | template: 310 | metadata: 311 | labels: 312 | app: csi-hostpath-provisioner 313 | spec: 314 | serviceAccountName: csi-provisioner 315 | containers: 316 | - name: csi-provisioner 317 | image: quay.io/k8scsi/csi-provisioner:v1.0.1 318 | imagePullPolicy: IfNotPresent 319 | args: 320 | - "--provisioner=csi-hostpath" 321 | - "--csi-address=$(ADDRESS)" 322 | - "--connection-timeout=15s" 323 | env: 324 | - name: ADDRESS 325 | value: /csi/csi.sock 326 | volumeMounts: 327 | - mountPath: /csi 328 | name: socket-dir 329 | volumes: 330 | - hostPath: 331 | path: /var/lib/kubelet/plugins/csi-hostpath 332 | type: DirectoryOrCreate 333 | name: socket-dir 334 | 335 | 336 | # csi-hostpathplugin.yaml 337 | --- 338 | apiVersion: v1 339 | kind: ServiceAccount 340 | metadata: 341 | name: csi-node-sa 342 | namespace: default 343 | 344 | --- 345 | kind: ClusterRole 346 | apiVersion: rbac.authorization.k8s.io/v1 347 | metadata: 348 | name: driver-registrar-runner 349 | rules: 350 | - apiGroups: [""] 351 | resources: ["events"] 352 | verbs: ["get", "list", "watch", "create", "update", "patch"] 353 | 354 | --- 355 | kind: ClusterRoleBinding 356 | apiVersion: rbac.authorization.k8s.io/v1 357 | metadata: 358 | name: csi-driver-registrar-role 359 | subjects: 360 | - kind: ServiceAccount 361 | name: csi-node-sa 362 | namespace: default 363 | roleRef: 364 | kind: ClusterRole 365 | name: driver-registrar-runner 366 | apiGroup: rbac.authorization.k8s.io 367 | 368 | --- 369 | kind: DaemonSet 370 | apiVersion: apps/v1 371 | metadata: 372 | name: csi-hostpathplugin 373 | spec: 374 | selector: 375 | matchLabels: 376 | app: csi-hostpathplugin 377 | template: 378 | metadata: 379 | labels: 380 | app: csi-hostpathplugin 381 | spec: 382 | serviceAccountName: csi-node-sa 383 | hostNetwork: true 384 | containers: 385 | - name: driver-registrar 386 | image: quay.io/k8scsi/csi-node-driver-registrar:v1.0.1 387 | imagePullPolicy: IfNotPresent 388 | args: 389 | - --v=5 390 | - --csi-address=/csi/csi.sock 391 | - --kubelet-registration-path=/var/lib/kubelet/plugins/csi-hostpath/csi.sock 392 | env: 393 | - name: KUBE_NODE_NAME 394 | valueFrom: 395 | fieldRef: 396 | apiVersion: v1 397 | fieldPath: spec.nodeName 398 | volumeMounts: 399 | - mountPath: /csi 400 | name: socket-dir 401 | - mountPath: /registration 402 | name: registration-dir 403 | - name: hostpath 404 | image: quay.io/k8scsi/hostpathplugin:v1.0.1 405 | imagePullPolicy: IfNotPresent 406 | args: 407 | - "--v=5" 408 | - "--endpoint=$(CSI_ENDPOINT)" 409 | - "--nodeid=$(KUBE_NODE_NAME)" 410 | env: 411 | - name: CSI_ENDPOINT 412 | value: unix:///csi/csi.sock 413 | - name: KUBE_NODE_NAME 414 | valueFrom: 415 | fieldRef: 416 | apiVersion: v1 417 | fieldPath: spec.nodeName 418 | securityContext: 419 | privileged: true 420 | volumeMounts: 421 | - mountPath: /csi 422 | name: socket-dir 423 | - mountPath: /var/lib/kubelet/pods 424 | mountPropagation: Bidirectional 425 | name: mountpoint-dir 426 | volumes: 427 | - hostPath: 428 | path: /var/lib/kubelet/plugins/csi-hostpath 429 | type: DirectoryOrCreate 430 | name: socket-dir 431 | - hostPath: 432 | path: /var/lib/kubelet/pods 433 | type: DirectoryOrCreate 434 | name: mountpoint-dir 435 | - hostPath: 436 | path: /var/lib/kubelet/plugins_registry 437 | type: Directory 438 | name: registration-dir 439 | 440 | 441 | # csi-storageclass.yaml 442 | --- 443 | apiVersion: storage.k8s.io/v1 444 | kind: StorageClass 445 | metadata: 446 | name: csi-hostpath-sc 447 | provisioner: csi-hostpath 448 | reclaimPolicy: Delete 449 | volumeBindingMode: Immediate 450 | 451 | 452 | # csi-pvc.yaml 453 | --- 454 | apiVersion: v1 455 | kind: PersistentVolumeClaim 456 | metadata: 457 | name: csi-pvc 458 | spec: 459 | accessModes: 460 | - ReadWriteOnce 461 | resources: 462 | requests: 463 | storage: 1Gi 464 | storageClassName: csi-hostpath-sc 465 | 466 | 467 | # csi-app.yaml 468 | --- 469 | kind: Pod 470 | apiVersion: v1 471 | metadata: 472 | name: my-csi-app 473 | spec: 474 | containers: 475 | - name: my-csi-app 476 | image: busybox 477 | imagePullPolicy: IfNotPresent 478 | command: [ "sleep", "1000000" ] 479 | volumeMounts: 480 | - mountPath: "/data" 481 | name: my-csi-volume 482 | volumes: 483 | - name: my-csi-volume 484 | persistentVolumeClaim: 485 | claimName: csi-pvc 486 | -------------------------------------------------------------------------------- /Chapter08/8.4.4 csi-volumesnapshot.yaml: -------------------------------------------------------------------------------- 1 | # VolumeSnapshot 2 | --- 3 | apiVersion: snapshot.storage.k8s.io/v1beta1 4 | kind: VolumeSnapshot 5 | metadata: 6 | name: new-snapshot-test 7 | spec: 8 | volumeSnapshotClassName: csi-hostpath-snapclass 9 | source: 10 | persistentVolumeClaimName: pvc-test 11 | 12 | 13 | --- 14 | apiVersion: snapshot.storage.k8s.io/v1beta1 15 | kind: VolumeSnapshot 16 | metadata: 17 | name: snapshot-test 18 | spec: 19 | source: 20 | volumeSnapshotContentName: test-content 21 | 22 | 23 | 24 | 25 | # VolumeSnapshotContent 26 | --- 27 | apiVersion: snapshot.storage.k8s.io/v1beta1 28 | kind: VolumeSnapshotContent 29 | metadata: 30 | name: snapcontent-72d9a349-aacd-42d2-a240-d775650d2455 31 | spec: 32 | deletionPolicy: Delete 33 | driver: hostpath.csi.k8s.io 34 | source: 35 | volumeHandle: ee0cfb94-f8d4-11e9-b2d8-0242ac110002 36 | volumeSnapshotClassName: csi-hostpath-snapclass 37 | volumeSnapshotRef: 38 | name: new-snapshot-test 39 | namespace: default 40 | uid: 72d9a349-aacd-42d2-a240-d775650d2455 41 | 42 | 43 | --- 44 | apiVersion: snapshot.storage.k8s.io/v1beta1 45 | kind: VolumeSnapshotContent 46 | metadata: 47 | name: new-snapshot-content-test 48 | spec: 49 | deletionPolicy: Delete 50 | driver: hostpath.csi.k8s.io 51 | source: 52 | snapshotHandle: 7bdd0de3-aaeb-11e8-9aae-0242ac110002 53 | volumeSnapshotRef: 54 | name: new-snapshot-test 55 | namespace: default 56 | 57 | 58 | 59 | 60 | # VolumeSnapshotClass 61 | --- 62 | apiVersion: snapshot.storage.k8s.io/v1beta1 63 | kind: VolumeSnapshotClass 64 | metadata: 65 | name: csi-hostpath-snapclass 66 | driver: hostpath.csi.k8s.io 67 | deletionPolicy: Delete 68 | parameters: 69 | 70 | 71 | --- 72 | apiVersion: snapshot.storage.k8s.io/v1beta1 73 | kind: VolumeSnapshotClass 74 | metadata: 75 | name: csi-hostpath-snapclass 76 | annotations: 77 | snapshot.storage.kubernetes.io/is-default-class: "true" 78 | driver: hostpath.csi.k8s.io 79 | deletionPolicy: Delete 80 | parameters: 81 | 82 | 83 | 84 | 85 | 86 | # pvc from Snapshot 87 | apiVersion: v1 88 | kind: PersistentVolumeClaim 89 | metadata: 90 | name: restore-pvc 91 | spec: 92 | storageClassName: csi-hostpath-sc 93 | dataSource: 94 | name: new-snapshot-test 95 | kind: VolumeSnapshot 96 | apiGroup: snapshot.storage.k8s.io 97 | accessModes: 98 | - ReadWriteOnce 99 | resources: 100 | requests: 101 | storage: 10Gi 102 | 103 | 104 | 105 | # pvc clone 106 | --- 107 | apiVersion: v1 108 | kind: PersistentVolumeClaim 109 | metadata: 110 | name: clone-of-pvc-1 111 | namespace: myns 112 | spec: 113 | accessModes: 114 | - ReadWriteOnce 115 | storageClassName: cloning 116 | resources: 117 | requests: 118 | storage: 5Gi 119 | dataSource: 120 | kind: PersistentVolumeClaim 121 | name: pvc-1 122 | -------------------------------------------------------------------------------- /Chapter09/9.4.1 customresourcedefinition.yaml: -------------------------------------------------------------------------------- 1 | # CRD 2 | --- 3 | apiVersion: apiextensions.k8s.io/v1beta1 4 | kind: CustomResourceDefinition 5 | metadata: 6 | name: virtualservices.networking.istio.io 7 | annotations: 8 | "helm.sh/hook": crd-install 9 | labels: 10 | app: istio-pilot 11 | spec: 12 | group: networking.istio.io 13 | scope: Namespaced 14 | versions: 15 | - name: v1alpha3 16 | served: true 17 | storage: true 18 | names: 19 | kind: VirtualService 20 | listKind: VirtualServiceList 21 | singular: virtualservice 22 | plural: virtualservices 23 | categories: 24 | - istio-io 25 | - networking-istio-io 26 | 27 | 28 | 29 | # CR 30 | --- 31 | apiVersion: networking.istio.io/v1alpha3 32 | kind: VirtualService 33 | metadata: 34 | name: helloworld 35 | spec: 36 | hosts: 37 | - "*" 38 | gateways: 39 | - helloworld-gateway 40 | http: 41 | - match: 42 | - uri: 43 | exact: /hello 44 | route: 45 | - destination: 46 | host: helloworld 47 | port: 48 | number: 5000 49 | 50 | 51 | 52 | # CRD subresources 53 | --- 54 | apiVersion: apiextensions.k8s.io/v1beta1 55 | kind: CustomResourceDefinition 56 | metadata: 57 | name: crontabs.stable.example.com 58 | spec: 59 | group: stable.example.com 60 | versions: 61 | - name: v1 62 | served: true 63 | storage: true 64 | scope: Namespaced 65 | names: 66 | plural: crontabs 67 | singular: crontab 68 | kind: CronTab 69 | shortNames: 70 | - ct 71 | subresources: 72 | status: {} 73 | scale: 74 | specReplicasPath: .spec.replicas 75 | statusReplicasPath: .status.replicas 76 | labelSelectorPath: .status.labelSelector 77 | 78 | 79 | 80 | # CRD validation 81 | --- 82 | apiVersion: apiextensions.k8s.io/v1beta1 83 | kind: CustomResourceDefinition 84 | metadata: 85 | name: crontabs.stable.example.com 86 | spec: 87 | group: stable.example.com 88 | versions: 89 | - name: v1 90 | served: true 91 | storage: true 92 | version: v1 93 | scope: Namespaced 94 | names: 95 | plural: crontabs 96 | singular: crontab 97 | kind: CronTab 98 | shortNames: 99 | - ct 100 | validation: 101 | openAPIV3Schema: 102 | properties: 103 | spec: 104 | properties: 105 | cronSpec: 106 | type: string 107 | pattern: '^(\d+|\*)(/\d+)?(\s+(\d+|\*)(/\d+)?){4}$' 108 | replicas: 109 | type: integer 110 | minimum: 1 111 | maximum: 10 112 | 113 | 114 | # CR validation failed 115 | --- 116 | apiVersion: "stable.example.com/v1" 117 | kind: CronTab 118 | metadata: 119 | name: my-new-cron-object 120 | spec: 121 | cronSpec: "* * * *" 122 | image: my-awesome-cron-image 123 | replicas: 15 124 | 125 | 126 | 127 | 128 | --- 129 | apiVersion: apiextensions.k8s.io/v1beta1 130 | kind: CustomResourceDefinition 131 | metadata: 132 | name: crontabs.stable.example.com 133 | spec: 134 | group: stable.example.com 135 | version: v1 136 | scope: Namespaced 137 | names: 138 | plural: crontabs 139 | singular: crontab 140 | kind: CronTab 141 | shortNames: 142 | - ct 143 | additionalPrinterColumns: 144 | - name: Spec 145 | type: string 146 | description: The cron spec defining the interval a CronJob is run 147 | JSONPath: .spec.cronSpec 148 | - name: Replicas 149 | type: integer 150 | description: The number of jobs launched by the CronJob 151 | JSONPath: .spec.replicas 152 | - name: Age 153 | type: date 154 | JSONPath: .metadata.creationTimestamp 155 | 156 | 157 | 158 | 159 | 160 | # CRD multiple versions 161 | --- 162 | apiVersion: apiextensions.k8s.io/v1beta1 163 | kind: CustomResourceDefinition 164 | metadata: 165 | name: crontabs.example.com 166 | spec: 167 | group: example.com 168 | versions: 169 | - name: v1beta1 170 | served: true 171 | storage: true 172 | schema: 173 | openAPIV3Schema: 174 | type: object 175 | properties: 176 | host: 177 | type: string 178 | port: 179 | type: string 180 | - name: v1 181 | served: true 182 | storage: false 183 | schema: 184 | openAPIV3Schema: 185 | type: object 186 | properties: 187 | host: 188 | type: string 189 | port: 190 | type: string 191 | 192 | 193 | 194 | 195 | # CRD Schema 196 | --- 197 | apiVersion: apiextensions.k8s.io/v1 198 | kind: CustomResourceDefinition 199 | metadata: 200 | name: crontabs.stable.example.com 201 | spec: 202 | group: stable.example.com 203 | versions: 204 | - name: v1 205 | served: true 206 | storage: true 207 | schema: 208 | openAPIV3Schema: 209 | type: object 210 | properties: 211 | spec: 212 | type: object 213 | properties: 214 | cronSpec: 215 | type: string 216 | pattern: '^(\d+|\*)(/\d+)?(\s+(\d+|\*)(/\d+)?){4}$' 217 | image: 218 | type: string 219 | replicas: 220 | type: integer 221 | minimum: 1 222 | maximum: 10 223 | -------------------------------------------------------------------------------- /Chapter09/9.4.2 apiaggregation-apiservice.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: apiregistration.k8s.io/v1beta1 3 | kind: APIService 4 | metadata: 5 | name: v1beta1.custom.metrics.k8s.io 6 | spec: 7 | service: 8 | name: custom-metrics-server 9 | namespace: custom-metrics 10 | group: custom.metrics.k8s.io 11 | version: v1beta1 12 | insecureSkipTLSVerify: true 13 | groupPriorityMinimum: 100 14 | versionPriority: 100 15 | 16 | 17 | 18 | # metrics server example 19 | --- 20 | apiVersion: v1 21 | kind: ServiceAccount 22 | metadata: 23 | name: metrics-server 24 | namespace: kube-system 25 | --- 26 | apiVersion: extensions/v1beta1 27 | kind: Deployment 28 | metadata: 29 | name: metrics-server 30 | namespace: kube-system 31 | labels: 32 | k8s-app: metrics-server 33 | spec: 34 | selector: 35 | matchLabels: 36 | k8s-app: metrics-server 37 | template: 38 | metadata: 39 | name: metrics-server 40 | labels: 41 | k8s-app: metrics-server 42 | spec: 43 | serviceAccountName: metrics-server 44 | containers: 45 | - name: metrics-server 46 | image: k8s.gcr.io/metrics-server-amd64:v0.3.1 47 | imagePullPolicy: IfNotPresent 48 | volumeMounts: 49 | - name: tmp-dir 50 | mountPath: /tmp 51 | volumes: 52 | - name: tmp-dir 53 | emptyDir: {} 54 | --- 55 | apiVersion: v1 56 | kind: Service 57 | metadata: 58 | name: metrics-server 59 | namespace: kube-system 60 | labels: 61 | kubernetes.io/name: "Metrics-server" 62 | spec: 63 | selector: 64 | k8s-app: metrics-server 65 | ports: 66 | - port: 443 67 | protocol: TCP 68 | targetPort: 443 69 | 70 | 71 | --- 72 | kind: ClusterRole 73 | apiVersion: rbac.authorization.k8s.io/v1 74 | metadata: 75 | name: system:aggregated-metrics-reader 76 | labels: 77 | rbac.authorization.k8s.io/aggregate-to-view: "true" 78 | rbac.authorization.k8s.io/aggregate-to-edit: "true" 79 | rbac.authorization.k8s.io/aggregate-to-admin: "true" 80 | rules: 81 | - apiGroups: ["metrics.k8s.io"] 82 | resources: ["pods"] 83 | verbs: ["get", "list", "watch"] 84 | --- 85 | apiVersion: rbac.authorization.k8s.io/v1 86 | kind: ClusterRole 87 | metadata: 88 | name: system:metrics-server 89 | rules: 90 | - apiGroups: 91 | - "" 92 | resources: 93 | - pods 94 | - nodes 95 | - nodes/stats 96 | verbs: 97 | - get 98 | - list 99 | - watch 100 | --- 101 | apiVersion: rbac.authorization.k8s.io/v1 102 | kind: ClusterRoleBinding 103 | metadata: 104 | name: system:metrics-server 105 | roleRef: 106 | apiGroup: rbac.authorization.k8s.io 107 | kind: ClusterRole 108 | name: system:metrics-server 109 | subjects: 110 | - kind: ServiceAccount 111 | name: metrics-server 112 | namespace: kube-system 113 | 114 | --- 115 | apiVersion: rbac.authorization.k8s.io/v1beta1 116 | kind: ClusterRoleBinding 117 | metadata: 118 | name: metrics-server:system:auth-delegator 119 | roleRef: 120 | apiGroup: rbac.authorization.k8s.io 121 | kind: ClusterRole 122 | name: system:auth-delegator 123 | subjects: 124 | - kind: ServiceAccount 125 | name: metrics-server 126 | namespace: kube-system 127 | 128 | --- 129 | apiVersion: rbac.authorization.k8s.io/v1beta1 130 | kind: RoleBinding 131 | metadata: 132 | name: metrics-server-auth-reader 133 | namespace: kube-system 134 | roleRef: 135 | apiGroup: rbac.authorization.k8s.io 136 | kind: Role 137 | name: extension-apiserver-authentication-reader 138 | subjects: 139 | - kind: ServiceAccount 140 | name: metrics-server 141 | namespace: kube-system 142 | 143 | 144 | 145 | # APIService 146 | --- 147 | apiVersion: apiregistration.k8s.io/v1beta1 148 | kind: APIService 149 | metadata: 150 | name: v1beta1.metrics.k8s.io 151 | spec: 152 | service: 153 | name: metrics-server 154 | namespace: kube-system 155 | group: metrics.k8s.io 156 | version: v1beta1 157 | insecureSkipTLSVerify: true 158 | groupPriorityMinimum: 100 159 | versionPriority: 100 160 | 161 | 162 | 163 | 164 | curl http://192.168.18.3:8080/apis/metrics.k8s.io/v1beta1/nodes 165 | 166 | curl http://192.168.18.3:8080/apis/metrics.k8s.io/v1beta1/pods 167 | -------------------------------------------------------------------------------- /Chapter10/10.1.1 unschedule-node.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Node 3 | metadata: 4 | name: k8s-node-1 5 | labels: 6 | kubernetes.io/hostname: k8s-node-1 7 | spec: 8 | unschedulable: true 9 | -------------------------------------------------------------------------------- /Chapter10/10.10 dashboard.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: kubernetes-dashboard 6 | 7 | --- 8 | apiVersion: v1 9 | kind: ServiceAccount 10 | metadata: 11 | labels: 12 | k8s-app: kubernetes-dashboard 13 | name: kubernetes-dashboard 14 | namespace: kubernetes-dashboard 15 | 16 | --- 17 | kind: Service 18 | apiVersion: v1 19 | metadata: 20 | labels: 21 | k8s-app: kubernetes-dashboard 22 | name: kubernetes-dashboard 23 | namespace: kubernetes-dashboard 24 | spec: 25 | ports: 26 | - port: 443 27 | targetPort: 8443 28 | selector: 29 | k8s-app: kubernetes-dashboard 30 | 31 | --- 32 | apiVersion: v1 33 | kind: Secret 34 | metadata: 35 | labels: 36 | k8s-app: kubernetes-dashboard 37 | name: kubernetes-dashboard-certs 38 | namespace: kubernetes-dashboard 39 | type: Opaque 40 | 41 | --- 42 | apiVersion: v1 43 | kind: Secret 44 | metadata: 45 | labels: 46 | k8s-app: kubernetes-dashboard 47 | name: kubernetes-dashboard-csrf 48 | namespace: kubernetes-dashboard 49 | type: Opaque 50 | data: 51 | csrf: "" 52 | 53 | --- 54 | apiVersion: v1 55 | kind: Secret 56 | metadata: 57 | labels: 58 | k8s-app: kubernetes-dashboard 59 | name: kubernetes-dashboard-key-holder 60 | namespace: kubernetes-dashboard 61 | type: Opaque 62 | 63 | --- 64 | kind: ConfigMap 65 | apiVersion: v1 66 | metadata: 67 | labels: 68 | k8s-app: kubernetes-dashboard 69 | name: kubernetes-dashboard-settings 70 | namespace: kubernetes-dashboard 71 | 72 | --- 73 | kind: Role 74 | apiVersion: rbac.authorization.k8s.io/v1 75 | metadata: 76 | labels: 77 | k8s-app: kubernetes-dashboard 78 | name: kubernetes-dashboard 79 | namespace: kubernetes-dashboard 80 | rules: 81 | - apiGroups: [""] 82 | resources: ["secrets"] 83 | resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"] 84 | verbs: ["get", "update", "delete"] 85 | - apiGroups: [""] 86 | resources: ["configmaps"] 87 | resourceNames: ["kubernetes-dashboard-settings"] 88 | verbs: ["get", "update"] 89 | - apiGroups: [""] 90 | resources: ["services"] 91 | resourceNames: ["heapster", "dashboard-metrics-scraper"] 92 | verbs: ["proxy"] 93 | - apiGroups: [""] 94 | resources: ["services/proxy"] 95 | resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"] 96 | verbs: ["get"] 97 | 98 | --- 99 | kind: ClusterRole 100 | apiVersion: rbac.authorization.k8s.io/v1 101 | metadata: 102 | labels: 103 | k8s-app: kubernetes-dashboard 104 | name: kubernetes-dashboard 105 | rules: 106 | # Allow Metrics Scraper to get metrics from the Metrics server 107 | - apiGroups: ["metrics.k8s.io"] 108 | resources: ["pods", "nodes"] 109 | verbs: ["get", "list", "watch"] 110 | 111 | --- 112 | apiVersion: rbac.authorization.k8s.io/v1 113 | kind: RoleBinding 114 | metadata: 115 | labels: 116 | k8s-app: kubernetes-dashboard 117 | name: kubernetes-dashboard 118 | namespace: kubernetes-dashboard 119 | roleRef: 120 | apiGroup: rbac.authorization.k8s.io 121 | kind: Role 122 | name: kubernetes-dashboard 123 | subjects: 124 | - kind: ServiceAccount 125 | name: kubernetes-dashboard 126 | namespace: kubernetes-dashboard 127 | 128 | --- 129 | apiVersion: rbac.authorization.k8s.io/v1 130 | kind: ClusterRoleBinding 131 | metadata: 132 | name: kubernetes-dashboard 133 | roleRef: 134 | apiGroup: rbac.authorization.k8s.io 135 | kind: ClusterRole 136 | name: kubernetes-dashboard 137 | subjects: 138 | - kind: ServiceAccount 139 | name: kubernetes-dashboard 140 | namespace: kubernetes-dashboard 141 | 142 | --- 143 | kind: Deployment 144 | apiVersion: apps/v1 145 | metadata: 146 | labels: 147 | k8s-app: kubernetes-dashboard 148 | name: kubernetes-dashboard 149 | namespace: kubernetes-dashboard 150 | spec: 151 | replicas: 1 152 | revisionHistoryLimit: 10 153 | selector: 154 | matchLabels: 155 | k8s-app: kubernetes-dashboard 156 | template: 157 | metadata: 158 | labels: 159 | k8s-app: kubernetes-dashboard 160 | spec: 161 | containers: 162 | - name: kubernetes-dashboard 163 | image: kubernetesui/dashboard:v2.0.5 164 | imagePullPolicy: Always 165 | ports: 166 | - containerPort: 8443 167 | protocol: TCP 168 | args: 169 | - --auto-generate-certificates 170 | - --namespace=kubernetes-dashboard 171 | volumeMounts: 172 | - name: kubernetes-dashboard-certs 173 | mountPath: /certs 174 | - mountPath: /tmp 175 | name: tmp-volume 176 | livenessProbe: 177 | httpGet: 178 | scheme: HTTPS 179 | path: / 180 | port: 8443 181 | initialDelaySeconds: 30 182 | timeoutSeconds: 30 183 | securityContext: 184 | allowPrivilegeEscalation: false 185 | readOnlyRootFilesystem: true 186 | runAsUser: 1001 187 | runAsGroup: 2001 188 | volumes: 189 | - name: kubernetes-dashboard-certs 190 | secret: 191 | secretName: kubernetes-dashboard-certs 192 | - name: tmp-volume 193 | emptyDir: {} 194 | serviceAccountName: kubernetes-dashboard 195 | nodeSelector: 196 | "kubernetes.io/os": linux 197 | tolerations: 198 | - key: node-role.kubernetes.io/master 199 | effect: NoSchedule 200 | 201 | --- 202 | kind: Service 203 | apiVersion: v1 204 | metadata: 205 | labels: 206 | k8s-app: dashboard-metrics-scraper 207 | name: dashboard-metrics-scraper 208 | namespace: kubernetes-dashboard 209 | spec: 210 | ports: 211 | - port: 8000 212 | targetPort: 8000 213 | selector: 214 | k8s-app: dashboard-metrics-scraper 215 | 216 | --- 217 | kind: Deployment 218 | apiVersion: apps/v1 219 | metadata: 220 | labels: 221 | k8s-app: dashboard-metrics-scraper 222 | name: dashboard-metrics-scraper 223 | namespace: kubernetes-dashboard 224 | spec: 225 | replicas: 1 226 | revisionHistoryLimit: 10 227 | selector: 228 | matchLabels: 229 | k8s-app: dashboard-metrics-scraper 230 | template: 231 | metadata: 232 | labels: 233 | k8s-app: dashboard-metrics-scraper 234 | annotations: 235 | seccomp.security.alpha.kubernetes.io/pod: 'runtime/default' 236 | spec: 237 | containers: 238 | - name: dashboard-metrics-scraper 239 | image: kubernetesui/metrics-scraper:v1.0.6 240 | ports: 241 | - containerPort: 8000 242 | protocol: TCP 243 | livenessProbe: 244 | httpGet: 245 | scheme: HTTP 246 | path: / 247 | port: 8000 248 | initialDelaySeconds: 30 249 | timeoutSeconds: 30 250 | volumeMounts: 251 | - mountPath: /tmp 252 | name: tmp-volume 253 | securityContext: 254 | allowPrivilegeEscalation: false 255 | readOnlyRootFilesystem: true 256 | runAsUser: 1001 257 | runAsGroup: 2001 258 | serviceAccountName: kubernetes-dashboard 259 | nodeSelector: 260 | "kubernetes.io/os": linux 261 | tolerations: 262 | - key: node-role.kubernetes.io/master 263 | effect: NoSchedule 264 | volumes: 265 | - name: tmp-volume 266 | emptyDir: {} 267 | -------------------------------------------------------------------------------- /Chapter10/10.11 helm.txt: -------------------------------------------------------------------------------- 1 | curl https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash 2 | 3 | brew install helm 4 | 5 | choco install kubernetes-helm 6 | 7 | curl https://baltocdn.com/helm/signing.asc | sudo apt-key add - 8 | sudo apt-get install apt-transport-https --yes 9 | echo "deb https://baltocdn.com/helm/stable/debian/ all main" | sudo tee /etc/apt/sources.list.d/helm-stable-debian.list 10 | sudo apt-get update 11 | sudo apt-get install helm 12 | 13 | 14 | 15 | helm repo add stable https://charts.helm.sh/stable 16 | 17 | helm search repo stable 18 | 19 | helm search hub 20 | 21 | helm search hub mysql 22 | 23 | helm repo list 24 | 25 | helm repo add dev https://example.com/dev-charts 26 | 27 | helm repo update 28 | 29 | helm repo remove stable 30 | 31 | helm install mariadb-1 stable/mariadb 32 | 33 | helm list 34 | 35 | helm status mariadb-1 36 | 37 | helm show values stable/mariadb 38 | 39 | helm install -f config.yaml mariadb-1 stable/mariadb 40 | 41 | helm upgrade -f user1.yaml mariadb-1 stable/mariadb 42 | 43 | helm get values mariadb-1 44 | 45 | helm rollback mariadb-1 1 46 | 47 | helm history mariadb-1 48 | 49 | helm uninstall mariadb-1 50 | 51 | helm uninstall mariadb-1 --keep-history 52 | 53 | helm list --uninstalled 54 | 55 | helm create deis-workflow 56 | 57 | helm lint deis-workflow 58 | 59 | helm package deis-workflow 60 | 61 | helm install deis-workflow-1 deis-workflow-0.1.0.tgz 62 | -------------------------------------------------------------------------------- /Chapter10/10.3.1 namespace.yaml: -------------------------------------------------------------------------------- 1 | # namespace-development.yaml 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: development 6 | 7 | 8 | # namespace-production.yaml 9 | apiVersion: v1 10 | kind: Namespace 11 | metadata: 12 | name: production 13 | -------------------------------------------------------------------------------- /Chapter10/10.3.3 context.yaml: -------------------------------------------------------------------------------- 1 | kubectl config set-cluster kubernetes-cluster --server=https://192.168.1.128:8080 2 | 3 | kubectl config set-context ctx-dev --namespace=development --cluster=kubernetes-cluster --user=dev 4 | 5 | kubectl config set-context ctx-prod --namespace=production --cluster=kubernetes-cluster --user=prod 6 | 7 | 8 | 9 | kubectl config use-context ctx-dev 10 | 11 | 12 | 13 | # redis-slave-controller.yaml 14 | apiVersion: v1 15 | kind: ReplicationController 16 | metadata: 17 | name: redis-slave 18 | labels: 19 | name: redis-slave 20 | spec: 21 | replicas: 2 22 | selector: 23 | name: redis-slave 24 | template: 25 | metadata: 26 | labels: 27 | name: redis-slave 28 | spec: 29 | containers: 30 | - name: slave 31 | image: kubeguide/guestbook-redis-slave 32 | ports: 33 | - containerPort: 6379 34 | 35 | 36 | 37 | kubectl config use-context ctx-prod 38 | -------------------------------------------------------------------------------- /Chapter10/10.4.1 pod-resources-setting.yaml: -------------------------------------------------------------------------------- 1 | # Resources requests and limits 2 | --- 3 | apiVersion: v1 4 | kind: Pod 5 | metadata: 6 | name: frontend 7 | spec: 8 | containers: 9 | - name: db 10 | image: mysql 11 | resources: 12 | requests: 13 | memory: "64Mi" 14 | cpu: "250m" 15 | limits: 16 | memory: "128Mi" 17 | cpu: "500m" 18 | - name: wp 19 | image: wordpress 20 | resources: 21 | requests: 22 | memory: "64Mi" 23 | cpu: "250m" 24 | limits: 25 | memory: "128Mi" 26 | cpu: "500m" 27 | 28 | 29 | 30 | 31 | # Huge Page 32 | --- 33 | apiVersion: v1 34 | kind: Pod 35 | metadata: 36 | generateName: hugepages-volume- 37 | spec: 38 | containers: 39 | - image: fedora:latest 40 | command: 41 | - sleep 42 | - inf 43 | name: example 44 | volumeMounts: 45 | - mountPath: /hugepages 46 | name: hugepage 47 | resources: 48 | limits: 49 | hugepages-2Mi: 100Mi 50 | memory: 100Mi 51 | requests: 52 | memory: 100Mi 53 | volumes: 54 | - name: hugepage 55 | emptyDir: 56 | medium: HugePages 57 | -------------------------------------------------------------------------------- /Chapter10/10.4.2 limitrange.yaml: -------------------------------------------------------------------------------- 1 | # LimitRange 2 | --- 3 | apiVersion: v1 4 | kind: LimitRange 5 | metadata: 6 | name: mylimits 7 | spec: 8 | limits: 9 | - max: 10 | cpu: "4" 11 | memory: 2Gi 12 | min: 13 | cpu: 200m 14 | memory: 6Mi 15 | maxLimitRequestRatio: 16 | cpu: 3 17 | memory: 2 18 | type: Pod 19 | - default: 20 | cpu: 300m 21 | memory: 200Mi 22 | defaultRequest: 23 | cpu: 200m 24 | memory: 100Mi 25 | max: 26 | cpu: "2" 27 | memory: 1Gi 28 | min: 29 | cpu: 100m 30 | memory: 3Mi 31 | maxLimitRequestRatio: 32 | cpu: 5 33 | memory: 4 34 | type: Container 35 | 36 | 37 | 38 | 39 | # invalid-pod.yaml 40 | --- 41 | apiVersion: v1 42 | kind: Pod 43 | metadata: 44 | name: invalid-pod 45 | spec: 46 | containers: 47 | - name: kubernetes-serve-hostname 48 | image: gcr.io/google_containers/serve_hostname 49 | resources: 50 | limits: 51 | cpu: "3" 52 | memory: 100Mi 53 | 54 | 55 | 56 | 57 | # limit-test-nginx.yaml 58 | --- 59 | apiVersion: v1 60 | kind: Pod 61 | metadata: 62 | name: limit-test-nginx 63 | labels: 64 | name: limit-test-nginx 65 | spec: 66 | containers: 67 | - name: limit-test-nginx 68 | image: nginx 69 | resources: 70 | limits: 71 | cpu: "1" 72 | memory: 512Mi 73 | requests: 74 | cpu: "0.8" 75 | memory: 250Mi 76 | 77 | 78 | 79 | 80 | # valid-pod.yaml 81 | --- 82 | apiVersion: v1 83 | kind: Pod 84 | metadata: 85 | name: valid-pod 86 | labels: 87 | name: valid-pod 88 | spec: 89 | containers: 90 | - name: kubernetes-serve-hostname 91 | image: gcr.io/google_containers/serve_hostname 92 | resources: 93 | limits: 94 | cpu: "1" 95 | memory: 512Mi 96 | -------------------------------------------------------------------------------- /Chapter10/10.4.4 resourcequota.yaml: -------------------------------------------------------------------------------- 1 | # compute-resources.yaml 2 | --- 3 | apiVersion: v1 4 | kind: ResourceQuota 5 | metadata: 6 | name: compute-resources 7 | spec: 8 | hard: 9 | pods: "4" 10 | requests.cpu: "1" 11 | requests.memory: 1Gi 12 | limits.cpu: "2" 13 | limits.memory: 2Gi 14 | 15 | 16 | # object-counts.yaml 17 | --- 18 | apiVersion: v1 19 | kind: ResourceQuota 20 | metadata: 21 | name: object-counts 22 | spec: 23 | hard: 24 | configmaps: "10" 25 | persistentvolumeclaims: "4" 26 | replicationcontrollers: "20" 27 | secrets: "10" 28 | services: "10" 29 | services.loadbalancers: "2" 30 | -------------------------------------------------------------------------------- /Chapter10/10.4.5 limitrange-resourcequota-practice.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: quota-example 6 | 7 | 8 | # object-counts.yaml 9 | --- 10 | apiVersion: v1 11 | kind: ResourceQuota 12 | metadata: 13 | name: object-counts 14 | spec: 15 | hard: 16 | persistentvolumeclaims: "2" 17 | services.loadbalancers: "2" 18 | services.nodeports: "0" 19 | 20 | 21 | --- 22 | apiVersion: v1 23 | kind: ResourceQuota 24 | metadata: 25 | name: compute-resources 26 | spec: 27 | hard: 28 | pods: "4" 29 | requests.cpu: "1" 30 | requests.memory: 1Gi 31 | limits.cpu: "2" 32 | limits.memory: 2Gi 33 | 34 | 35 | kubectl run nginx --image=nginx --replicas=1 --namespace=quota-example 36 | 37 | 38 | 39 | 40 | 41 | 42 | # limits.yaml 43 | --- 44 | apiVersion: v1 45 | kind: LimitRange 46 | metadata: 47 | name: limits 48 | spec: 49 | limits: 50 | - default: 51 | cpu: 200m 52 | memory: 512Mi 53 | defaultRequest: 54 | cpu: 100m 55 | memory: 256Mi 56 | type: Container 57 | 58 | 59 | kubectl run nginx \ 60 | --image=nginx \ 61 | --replicas=1 \ 62 | --requests=cpu=100m,memory=256Mi \ 63 | --limits=cpu=200m,memory=512Mi \ 64 | --namespace=quota-example 65 | 66 | 67 | 68 | 69 | 70 | 71 | kubectl create namespace quota-scopes 72 | 73 | # best-effort.yaml 74 | --- 75 | apiVersion: v1 76 | kind: ResourceQuota 77 | metadata: 78 | name: best-effort 79 | spec: 80 | hard: 81 | pods: "10" 82 | scopes: 83 | - BestEffort 84 | 85 | --- 86 | apiVersion: v1 87 | kind: ResourceQuota 88 | metadata: 89 | name: not-best-effort 90 | spec: 91 | hard: 92 | pods: "4" 93 | requests.cpu: "1" 94 | requests.memory: 1Gi 95 | limits.cpu: "2" 96 | limits.memory: 2Gi 97 | scopes: 98 | - NotBestEffort 99 | 100 | 101 | kubectl run best-effort-nginx --image=nginx --replicas=8 --namespace=quota-scopes 102 | 103 | 104 | kubectl run not-best-effort-nginx \ 105 | --image=nginx \ 106 | --replicas=2 \ 107 | --requests=cpu=100m,memory=256Mi \ 108 | --limits=cpu=200m,memory=512Mi \ 109 | --namespace=quota-scopes 110 | -------------------------------------------------------------------------------- /Chapter10/10.4.6 share-process-namespace.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: nginx 5 | spec: 6 | shareProcessNamespace: true 7 | containers: 8 | - name: nginx 9 | image: nginx 10 | - name: shell 11 | image: busybox 12 | securityContext: 13 | capabilities: 14 | add: 15 | - SYS_PTRACE 16 | stdin: true 17 | tty: true 18 | -------------------------------------------------------------------------------- /Chapter10/10.6 poddisruptionbudget.yaml: -------------------------------------------------------------------------------- 1 | # nginx-deployment.yaml 2 | --- 3 | apiVersion: apps/v1 4 | kind: Deployment 5 | metadata: 6 | name: nginx 7 | labels: 8 | name: nginx 9 | spec: 10 | replicas: 3 11 | selector: 12 | matchLabels: 13 | name: nginx 14 | template: 15 | metadata: 16 | labels: 17 | name: nginx 18 | spec: 19 | containers: 20 | - name: nginx 21 | image: nginx 22 | ports: 23 | - containerPort: 80 24 | protocol: TCP 25 | 26 | 27 | 28 | # pdb.yaml 29 | --- 30 | apiVersion: policy/v1beta1 31 | kind: PodDisruptionBudget 32 | metadata: 33 | name: nginx 34 | spec: 35 | minAvailable: 3 36 | selector: 37 | matchLabels: 38 | name: nginx 39 | 40 | 41 | 42 | 43 | # evict 44 | curl -v -H 'Content-type: application/json' http:///api/v1/namespaces/default/pods/nginx-1968750913-0k01k/eviction -d @eviction.json 45 | -------------------------------------------------------------------------------- /Chapter10/10.7.1 metrics-server.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: apps/v1 3 | kind: Deployment 4 | metadata: 5 | name: metrics-server 6 | namespace: kube-system 7 | labels: 8 | k8s-app: metrics-server 9 | spec: 10 | selector: 11 | matchLabels: 12 | k8s-app: metrics-server 13 | template: 14 | metadata: 15 | name: metrics-server 16 | labels: 17 | k8s-app: metrics-server 18 | spec: 19 | serviceAccountName: metrics-server 20 | volumes: 21 | - name: tmp-dir 22 | emptyDir: {} 23 | containers: 24 | - name: metrics-server 25 | image: k8s.gcr.io/metrics-server/metrics-server:v0.3.7 26 | imagePullPolicy: IfNotPresent 27 | args: 28 | - --cert-dir=/tmp 29 | - --secure-port=4443 30 | - --kubelet-insecure-tls 31 | - --kubelet-preferred-address-types=InternalIP 32 | ports: 33 | - name: main-port 34 | containerPort: 4443 35 | protocol: TCP 36 | securityContext: 37 | readOnlyRootFilesystem: true 38 | runAsNonRoot: true 39 | runAsUser: 1000 40 | volumeMounts: 41 | - name: tmp-dir 42 | mountPath: /tmp 43 | nodeSelector: 44 | kubernetes.io/os: linux 45 | kubernetes.io/arch: "amd64" 46 | --- 47 | apiVersion: v1 48 | kind: Service 49 | metadata: 50 | name: metrics-server 51 | namespace: kube-system 52 | labels: 53 | kubernetes.io/name: "Metrics-server" 54 | kubernetes.io/cluster-service: "true" 55 | spec: 56 | selector: 57 | k8s-app: metrics-server 58 | ports: 59 | - port: 443 60 | protocol: TCP 61 | targetPort: main-port 62 | 63 | --- 64 | apiVersion: v1 65 | kind: ServiceAccount 66 | metadata: 67 | name: metrics-server 68 | namespace: kube-system 69 | --- 70 | apiVersion: rbac.authorization.k8s.io/v1 71 | kind: ClusterRole 72 | metadata: 73 | name: system:metrics-server 74 | rules: 75 | - apiGroups: 76 | - "" 77 | resources: 78 | - pods 79 | - nodes 80 | - nodes/stats 81 | - namespaces 82 | - configmaps 83 | verbs: 84 | - get 85 | - list 86 | - watch 87 | --- 88 | apiVersion: rbac.authorization.k8s.io/v1 89 | kind: ClusterRoleBinding 90 | metadata: 91 | name: system:metrics-server 92 | roleRef: 93 | apiGroup: rbac.authorization.k8s.io 94 | kind: ClusterRole 95 | name: system:metrics-server 96 | subjects: 97 | - kind: ServiceAccount 98 | name: metrics-server 99 | namespace: kube-system 100 | 101 | 102 | 103 | 104 | --- 105 | apiVersion: apiregistration.k8s.io/v1beta1 106 | kind: APIService 107 | metadata: 108 | name: v1beta1.metrics.k8s.io 109 | spec: 110 | service: 111 | name: metrics-server 112 | namespace: kube-system 113 | group: metrics.k8s.io 114 | version: v1beta1 115 | insecureSkipTLSVerify: true 116 | groupPriorityMinimum: 100 117 | versionPriority: 100 118 | 119 | --- 120 | apiVersion: rbac.authorization.k8s.io/v1 121 | kind: ClusterRole 122 | metadata: 123 | name: system:aggregated-metrics-reader 124 | labels: 125 | rbac.authorization.k8s.io/aggregate-to-view: "true" 126 | rbac.authorization.k8s.io/aggregate-to-edit: "true" 127 | rbac.authorization.k8s.io/aggregate-to-admin: "true" 128 | rules: 129 | - apiGroups: ["metrics.k8s.io"] 130 | resources: ["pods", "nodes"] 131 | verbs: ["get", "list", "watch"] 132 | --- 133 | apiVersion: rbac.authorization.k8s.io/v1 134 | kind: ClusterRoleBinding 135 | metadata: 136 | name: metrics-server:system:auth-delegator 137 | roleRef: 138 | apiGroup: rbac.authorization.k8s.io 139 | kind: ClusterRole 140 | name: system:auth-delegator 141 | subjects: 142 | - kind: ServiceAccount 143 | name: metrics-server 144 | namespace: kube-system 145 | --- 146 | apiVersion: rbac.authorization.k8s.io/v1 147 | kind: RoleBinding 148 | metadata: 149 | name: metrics-server-auth-reader 150 | namespace: kube-system 151 | roleRef: 152 | apiGroup: rbac.authorization.k8s.io 153 | kind: Role 154 | name: extension-apiserver-authentication-reader 155 | subjects: 156 | - kind: ServiceAccount 157 | name: metrics-server 158 | namespace: kube-system 159 | -------------------------------------------------------------------------------- /Chapter10/10.7.2 prometheus-grafana.yaml: -------------------------------------------------------------------------------- 1 | # prometheus 2 | --- 3 | apiVersion: v1 4 | kind: ConfigMap 5 | metadata: 6 | name: prometheus-config 7 | namespace: kube-system 8 | labels: 9 | kubernetes.io/cluster-service: "true" 10 | addonmanager.kubernetes.io/mode: EnsureExists 11 | data: 12 | prometheus.yml: | 13 | global: 14 | scrape_interval: 30s 15 | scrape_configs: 16 | - job_name: prometheus 17 | static_configs: 18 | - targets: 19 | - localhost:9090 20 | - job_name: kubernetes-apiservers 21 | kubernetes_sd_configs: 22 | - role: endpoints 23 | relabel_configs: 24 | - action: keep 25 | regex: default;kubernetes;https 26 | source_labels: 27 | - __meta_kubernetes_namespace 28 | - __meta_kubernetes_service_name 29 | - __meta_kubernetes_endpoint_port_name 30 | scheme: https 31 | tls_config: 32 | ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt 33 | insecure_skip_verify: true 34 | bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token 35 | 36 | - job_name: kubernetes-nodes-kubelet 37 | kubernetes_sd_configs: 38 | - role: node 39 | relabel_configs: 40 | - action: labelmap 41 | regex: __meta_kubernetes_node_label_(.+) 42 | scheme: https 43 | tls_config: 44 | ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt 45 | insecure_skip_verify: true 46 | bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token 47 | 48 | - job_name: kubernetes-nodes-cadvisor 49 | kubernetes_sd_configs: 50 | - role: node 51 | relabel_configs: 52 | - action: labelmap 53 | regex: __meta_kubernetes_node_label_(.+) 54 | - target_label: __metrics_path__ 55 | replacement: /metrics/cadvisor 56 | scheme: https 57 | tls_config: 58 | ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt 59 | insecure_skip_verify: true 60 | bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token 61 | 62 | - job_name: kubernetes-service-endpoints 63 | kubernetes_sd_configs: 64 | - role: endpoints 65 | relabel_configs: 66 | - action: keep 67 | regex: true 68 | source_labels: 69 | - __meta_kubernetes_service_annotation_prometheus_io_scrape 70 | - action: replace 71 | regex: (https?) 72 | source_labels: 73 | - __meta_kubernetes_service_annotation_prometheus_io_scheme 74 | target_label: __scheme__ 75 | - action: replace 76 | regex: (.+) 77 | source_labels: 78 | - __meta_kubernetes_service_annotation_prometheus_io_path 79 | target_label: __metrics_path__ 80 | - action: replace 81 | regex: ([^:]+)(?::\d+)?;(\d+) 82 | replacement: $1:$2 83 | source_labels: 84 | - __address__ 85 | - __meta_kubernetes_service_annotation_prometheus_io_port 86 | target_label: __address__ 87 | - action: labelmap 88 | regex: __meta_kubernetes_service_label_(.+) 89 | - action: replace 90 | source_labels: 91 | - __meta_kubernetes_namespace 92 | target_label: kubernetes_namespace 93 | - action: replace 94 | source_labels: 95 | - __meta_kubernetes_service_name 96 | target_label: kubernetes_name 97 | 98 | - job_name: kubernetes-services 99 | kubernetes_sd_configs: 100 | - role: service 101 | metrics_path: /probe 102 | params: 103 | module: 104 | - http_2xx 105 | relabel_configs: 106 | - action: keep 107 | regex: true 108 | source_labels: 109 | - __meta_kubernetes_service_annotation_prometheus_io_probe 110 | - source_labels: 111 | - __address__ 112 | target_label: __param_target 113 | - replacement: blackbox 114 | target_label: __address__ 115 | - source_labels: 116 | - __param_target 117 | target_label: instance 118 | - action: labelmap 119 | regex: __meta_kubernetes_service_label_(.+) 120 | - source_labels: 121 | - __meta_kubernetes_namespace 122 | target_label: kubernetes_namespace 123 | - source_labels: 124 | - __meta_kubernetes_service_name 125 | target_label: kubernetes_name 126 | 127 | - job_name: kubernetes-pods 128 | kubernetes_sd_configs: 129 | - role: pod 130 | relabel_configs: 131 | - action: keep 132 | regex: true 133 | source_labels: 134 | - __meta_kubernetes_pod_annotation_prometheus_io_scrape 135 | - action: replace 136 | regex: (.+) 137 | source_labels: 138 | - __meta_kubernetes_pod_annotation_prometheus_io_path 139 | target_label: __metrics_path__ 140 | - action: replace 141 | regex: ([^:]+)(?::\d+)?;(\d+) 142 | replacement: $1:$2 143 | source_labels: 144 | - __address__ 145 | - __meta_kubernetes_pod_annotation_prometheus_io_port 146 | target_label: __address__ 147 | - action: labelmap 148 | regex: __meta_kubernetes_pod_label_(.+) 149 | - action: replace 150 | source_labels: 151 | - __meta_kubernetes_namespace 152 | target_label: kubernetes_namespace 153 | - action: replace 154 | source_labels: 155 | - __meta_kubernetes_pod_name 156 | target_label: kubernetes_pod_name 157 | ...... 158 | 159 | 160 | 161 | --- 162 | apiVersion: apps/v1 163 | kind: Deployment 164 | metadata: 165 | name: prometheus 166 | namespace: kube-system 167 | labels: 168 | k8s-app: prometheus 169 | kubernetes.io/cluster-service: "true" 170 | addonmanager.kubernetes.io/mode: Reconcile 171 | version: v2.19.2 172 | spec: 173 | replicas: 1 174 | selector: 175 | matchLabels: 176 | k8s-app: prometheus 177 | version: v2.19.2 178 | template: 179 | metadata: 180 | labels: 181 | k8s-app: prometheus 182 | version: v2.19.2 183 | annotations: 184 | scheduler.alpha.kubernetes.io/critical-pod: '' 185 | spec: 186 | priorityClassName: system-cluster-critical 187 | serviceAccountName: prometheus 188 | initContainers: 189 | - name: "init-chown-data" 190 | image: "busybox:latest" 191 | imagePullPolicy: "IfNotPresent" 192 | command: ["chown", "-R", "65534:65534", "/data"] 193 | volumeMounts: 194 | - name: storage-volume 195 | mountPath: /data 196 | subPath: "" 197 | containers: 198 | - name: prometheus-server-configmap-reload 199 | image: "jimmidyson/configmap-reload:v0.3.0" 200 | imagePullPolicy: "IfNotPresent" 201 | args: 202 | - --volume-dir=/etc/config 203 | - --webhook-url=http://localhost:9090/-/reload 204 | volumeMounts: 205 | - name: config-volume 206 | mountPath: /etc/config 207 | readOnly: true 208 | resources: 209 | limits: 210 | cpu: 1 211 | memory: 256Mi 212 | requests: 213 | cpu: 100m 214 | memory: 50Mi 215 | - name: prometheus-server 216 | image: "prom/prometheus:v2.19.2" 217 | imagePullPolicy: "IfNotPresent" 218 | args: 219 | - --config.file=/etc/config/prometheus.yml 220 | - --storage.tsdb.path=/data 221 | - --storage.tsdb.retention=7d 222 | - --web.console.libraries=/etc/prometheus/console_libraries 223 | - --web.console.templates=/etc/prometheus/consoles 224 | - --web.enable-lifecycle 225 | ports: 226 | - containerPort: 9090 227 | readinessProbe: 228 | httpGet: 229 | path: /-/ready 230 | port: 9090 231 | initialDelaySeconds: 30 232 | timeoutSeconds: 30 233 | livenessProbe: 234 | httpGet: 235 | path: /-/healthy 236 | port: 9090 237 | initialDelaySeconds: 30 238 | timeoutSeconds: 30 239 | resources: 240 | limits: 241 | cpu: 4 242 | memory: 8Gi 243 | requests: 244 | cpu: 0.1 245 | memory: 128Mi 246 | volumeMounts: 247 | - name: config-volume 248 | mountPath: /etc/config 249 | - name: storage-volume 250 | mountPath: /data 251 | subPath: "" 252 | terminationGracePeriodSeconds: 300 253 | volumes: 254 | - name: config-volume 255 | configMap: 256 | name: prometheus-config 257 | - name: storage-volume 258 | hostPath: 259 | path: /root/prometheus/data 260 | type: DirectoryOrCreate 261 | 262 | --- 263 | kind: Service 264 | apiVersion: v1 265 | metadata: 266 | name: prometheus 267 | namespace: kube-system 268 | labels: 269 | kubernetes.io/name: "Prometheus" 270 | kubernetes.io/cluster-service: "true" 271 | addonmanager.kubernetes.io/mode: Reconcile 272 | spec: 273 | type: NodePort 274 | ports: 275 | - name: http 276 | port: 9090 277 | nodePort: 9090 278 | protocol: TCP 279 | targetPort: 9090 280 | selector: 281 | k8s-app: prometheus 282 | 283 | --- 284 | apiVersion: v1 285 | kind: ServiceAccount 286 | metadata: 287 | name: prometheus 288 | namespace: kube-system 289 | labels: 290 | kubernetes.io/cluster-service: "true" 291 | addonmanager.kubernetes.io/mode: Reconcile 292 | --- 293 | apiVersion: rbac.authorization.k8s.io/v1beta1 294 | kind: ClusterRole 295 | metadata: 296 | name: prometheus 297 | labels: 298 | kubernetes.io/cluster-service: "true" 299 | addonmanager.kubernetes.io/mode: Reconcile 300 | rules: 301 | - apiGroups: 302 | - "" 303 | resources: 304 | - nodes 305 | - nodes/metrics 306 | - services 307 | - endpoints 308 | - pods 309 | verbs: 310 | - get 311 | - list 312 | - watch 313 | - apiGroups: 314 | - "" 315 | resources: 316 | - configmaps 317 | verbs: 318 | - get 319 | - nonResourceURLs: 320 | - "/metrics" 321 | verbs: 322 | - get 323 | --- 324 | apiVersion: rbac.authorization.k8s.io/v1beta1 325 | kind: ClusterRoleBinding 326 | metadata: 327 | name: prometheus 328 | labels: 329 | kubernetes.io/cluster-service: "true" 330 | addonmanager.kubernetes.io/mode: Reconcile 331 | roleRef: 332 | apiGroup: rbac.authorization.k8s.io 333 | kind: ClusterRole 334 | name: prometheus 335 | subjects: 336 | - kind: ServiceAccount 337 | name: prometheus 338 | namespace: kube-system 339 | 340 | 341 | 342 | 343 | 344 | # node exporter 345 | --- 346 | apiVersion: apps/v1 347 | kind: DaemonSet 348 | metadata: 349 | name: node-exporter 350 | namespace: kube-system 351 | labels: 352 | k8s-app: node-exporter 353 | kubernetes.io/cluster-service: "true" 354 | addonmanager.kubernetes.io/mode: Reconcile 355 | version: v1.0.1 356 | spec: 357 | updateStrategy: 358 | type: OnDelete 359 | selector: 360 | matchLabels: 361 | k8s-app: node-exporter 362 | version: v1.0.1 363 | template: 364 | metadata: 365 | labels: 366 | k8s-app: node-exporter 367 | version: v1.0.1 368 | annotations: 369 | scheduler.alpha.kubernetes.io/critical-pod: '' 370 | spec: 371 | priorityClassName: system-node-critical 372 | containers: 373 | - name: prometheus-node-exporter 374 | image: "prom/node-exporter:v1.0.1" 375 | imagePullPolicy: "IfNotPresent" 376 | args: 377 | - --path.procfs=/host/proc 378 | - --path.sysfs=/host/sys 379 | ports: 380 | - name: metrics 381 | containerPort: 9100 382 | hostPort: 9100 383 | volumeMounts: 384 | - name: proc 385 | mountPath: /host/proc 386 | readOnly: true 387 | - name: sys 388 | mountPath: /host/sys 389 | readOnly: true 390 | resources: 391 | limits: 392 | cpu: 1 393 | memory: 512Mi 394 | requests: 395 | cpu: 100m 396 | memory: 50Mi 397 | hostNetwork: true 398 | hostPID: true 399 | volumes: 400 | - name: proc 401 | hostPath: 402 | path: /proc 403 | - name: sys 404 | hostPath: 405 | path: /sys 406 | 407 | 408 | --- 409 | apiVersion: v1 410 | kind: Service 411 | metadata: 412 | name: node-exporter 413 | namespace: kube-system 414 | annotations: 415 | prometheus.io/scrape: "true" 416 | labels: 417 | kubernetes.io/cluster-service: "true" 418 | addonmanager.kubernetes.io/mode: Reconcile 419 | kubernetes.io/name: "NodeExporter" 420 | spec: 421 | clusterIP: None 422 | ports: 423 | - name: metrics 424 | port: 9100 425 | protocol: TCP 426 | targetPort: 9100 427 | selector: 428 | k8s-app: node-exporter 429 | 430 | 431 | 432 | 433 | 434 | # grafana 435 | --- 436 | kind: Deployment 437 | apiVersion: extensions/v1beta1 438 | metadata: 439 | name: grafana 440 | namespace: kube-system 441 | labels: 442 | k8s-app: grafana 443 | kubernetes.io/cluster-service: "true" 444 | addonmanager.kubernetes.io/mode: Reconcile 445 | spec: 446 | replicas: 1 447 | selector: 448 | matchLabels: 449 | k8s-app: grafana 450 | template: 451 | metadata: 452 | labels: 453 | k8s-app: grafana 454 | annotations: 455 | scheduler.alpha.kubernetes.io/critical-pod: '' 456 | spec: 457 | priorityClassName: system-cluster-critical 458 | tolerations: 459 | - key: node-role.kubernetes.io/master 460 | effect: NoSchedule 461 | - key: "CriticalAddonsOnly" 462 | operator: "Exists" 463 | containers: 464 | - name: grafana 465 | image: grafana/grafana:6.0.1 466 | imagePullPolicy: IfNotPresent 467 | resources: 468 | limits: 469 | cpu: 1 470 | memory: 1Gi 471 | requests: 472 | cpu: 100m 473 | memory: 100Mi 474 | env: 475 | - name: GF_AUTH_BASIC_ENABLED 476 | value: "false" 477 | - name: GF_AUTH_ANONYMOUS_ENABLED 478 | value: "true" 479 | - name: GF_AUTH_ANONYMOUS_ORG_ROLE 480 | value: Admin 481 | - name: GF_SERVER_ROOT_URL 482 | value: /api/v1/namespaces/kube-system/services/grafana/proxy/ 483 | ports: 484 | - name: ui 485 | containerPort: 3000 486 | 487 | --- 488 | apiVersion: v1 489 | kind: Service 490 | metadata: 491 | name: grafana 492 | namespace: kube-system 493 | labels: 494 | kubernetes.io/cluster-service: "true" 495 | addonmanager.kubernetes.io/mode: Reconcile 496 | kubernetes.io/name: "Grafana" 497 | spec: 498 | ports: 499 | - port: 80 500 | protocol: TCP 501 | targetPort: ui 502 | selector: 503 | k8s-app: grafana 504 | -------------------------------------------------------------------------------- /Chapter10/10.8.2 elasticsearch-fluentd-kibana.yml: -------------------------------------------------------------------------------- 1 | # elasticsearch.yaml 2 | --- 3 | apiVersion: apps/v1 4 | kind: Deployment 5 | metadata: 6 | name: elasticsearch 7 | namespace: kube-system 8 | labels: 9 | k8s-app: elasticsearch 10 | version: v7.5.1 11 | addonmanager.kubernetes.io/mode: Reconcile 12 | spec: 13 | replicas: 1 14 | selector: 15 | matchLabels: 16 | k8s-app: elasticsearch 17 | version: v7.5.1 18 | template: 19 | metadata: 20 | labels: 21 | k8s-app: elasticsearch 22 | version: v7.5.1 23 | spec: 24 | initContainers: 25 | - name: elasticsearch-init 26 | image: busybox 27 | imagePullPolicy: IfNotPresent 28 | command: ["/bin/sysctl", "-w", "vm.max_map_count=262144"] 29 | securityContext: 30 | privileged: true 31 | containers: 32 | - name: elasticsearch 33 | image: elasticsearch:7.5.1 34 | imagePullPolicy: IfNotPresent 35 | env: 36 | - name: namespace 37 | valueFrom: 38 | fieldRef: 39 | apiVersion: v1 40 | fieldPath: metadata.namespace 41 | - name: node.name 42 | valueFrom: 43 | fieldRef: 44 | apiVersion: v1 45 | fieldPath: metadata.name 46 | - name: cluster.name 47 | value: elasticsearch 48 | - name: discovery.type 49 | value: single-node 50 | - name: NUMBER_OF_MASTERS 51 | value: "1" 52 | - name: xpack.security.enabled 53 | value: "false" 54 | - name: network.host 55 | value: 0.0.0.0 56 | - name: network.publish_host 57 | valueFrom: 58 | fieldRef: 59 | apiVersion: v1 60 | fieldPath: status.podIP 61 | resources: 62 | limits: 63 | cpu: 2 64 | memory: 4Gi 65 | requests: 66 | cpu: 100m 67 | memory: 1Gi 68 | ports: 69 | - containerPort: 9200 70 | name: db 71 | protocol: TCP 72 | - containerPort: 9300 73 | name: transport 74 | protocol: TCP 75 | livenessProbe: 76 | tcpSocket: 77 | port: transport 78 | initialDelaySeconds: 5 79 | timeoutSeconds: 10 80 | readinessProbe: 81 | tcpSocket: 82 | port: transport 83 | initialDelaySeconds: 5 84 | timeoutSeconds: 10 85 | volumeMounts: 86 | - name: elasticsearch 87 | mountPath: /usr/share/elasticsearch/data 88 | volumes: 89 | - name: elasticsearch 90 | hostPath: 91 | path: /root/es/elasticsearch-data 92 | 93 | --- 94 | apiVersion: v1 95 | kind: Service 96 | metadata: 97 | name: elasticsearch 98 | namespace: kube-system 99 | labels: 100 | k8s-app: elasticsearch 101 | kubernetes.io/cluster-service: "true" 102 | addonmanager.kubernetes.io/mode: Reconcile 103 | kubernetes.io/name: "Elasticsearch" 104 | spec: 105 | selector: 106 | k8s-app: elasticsearch 107 | version: v7.5.1 108 | ports: 109 | - port: 9200 110 | protocol: TCP 111 | targetPort: db 112 | 113 | 114 | 115 | 116 | 117 | # fluentd.yaml 118 | --- 119 | apiVersion: apps/v1 120 | kind: DaemonSet 121 | metadata: 122 | name: fluentd 123 | namespace: kube-system 124 | labels: 125 | k8s-app: fluentd 126 | spec: 127 | selector: 128 | matchLabels: 129 | k8s-app: fluentd 130 | template: 131 | metadata: 132 | labels: 133 | k8s-app: fluentd 134 | spec: 135 | containers: 136 | - name: fluentd 137 | image: fluent/fluentd:v1.9.2-1.0 138 | imagePullPolicy: IfNotPresent 139 | resources: 140 | limits: 141 | memory: 500Mi 142 | requests: 143 | cpu: 100m 144 | memory: 200Mi 145 | volumeMounts: 146 | - name: varlog 147 | mountPath: /var/log 148 | - name: varlibdockercontainers 149 | mountPath: /var/lib/docker/containers 150 | readOnly: true 151 | - name: config-volume 152 | mountPath: /etc/fluent/config.d 153 | volumes: 154 | - name: varlog 155 | hostPath: 156 | path: /var/log 157 | - name: varlibdockercontainers 158 | hostPath: 159 | path: /var/lib/docker/containers 160 | - name: config-volume 161 | configMap: 162 | name: fluentd-config 163 | 164 | 165 | --- 166 | kind: ConfigMap 167 | apiVersion: v1 168 | metadata: 169 | name: fluentd-config 170 | namespace: kube-system 171 | labels: 172 | addonmanager.kubernetes.io/mode: Reconcile 173 | data: 174 | fluentd.conf : |- 175 | # container stdout and stderr log 176 | 177 | @id fluentd-containers.log 178 | @type tail 179 | path /var/log/containers/*.log 180 | pos_file /var/log/es-containers.log.pos 181 | tag raw.container.* 182 | read_from_head true 183 | 184 | @type multi_format 185 | 186 | format json 187 | time_key time 188 | time_format %Y-%m-%dT%H:%M:%S.%NZ 189 | 190 | 191 | format /^(? 194 | 195 | 196 | 197 | # kube-apiserver log 198 | 199 | @id kube-apiserver.log 200 | @type tail 201 | format multiline 202 | multiline_flush_interval 5s 203 | format_firstline /^\w\d{4}/ 204 | format1 /^(?\w)(?