💾 Archived View for ibannieto.info › stuff › kubernetes.gmi captured on 2023-01-29 at 02:37:48. Gemini links have been rewritten to link to archived content
-=-=-=-=-=-=-
- docker is required in order to run and build docker images (like your apps or a k3s cluster)
- kubectl (latest version) is required for kubernetes management from your computer
- aws cli installed and configured in your computer (only for AWS)
- Access to a kubernetes cluster: docker-desktop, minikube, k3s or in the cloud with AWS
- k3d / k3s is for a local development using docker only (very recommended!)
- make (GNU make) installed in your computer
- helm (v3) is required for installing addons
- kubens and kubectx strongly recommended in order to switch cluster contexts and namespaces
- kustomize is not required, but recommended for build kustomize projects like this
- kubeval is not required, but recommended for validating kubernetes manifests against schemas
- kube-score is not required, but recommended for developing and validating kubernetes manifests
apiVersion: v1 kind: ConfigMap metadata: name: hello-rocket-config data: ADDR: "0.0.0.0" PORT: "8000" LOG_LEVEL: "debug"
apiVersion: apps/v1
kind: Deployment
metadata:
name: hello-rocket
labels:
app.kubernetes.io/name: hello-rocket
app.kubernetes.io/instance: hello-rocket
app.kubernetes.io/version: "0.1.0"
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: hello-rocket
app.kubernetes.io/instance: hello-rocket
template:
metadata:
labels:
app.kubernetes.io/name: hello-rocket
app.kubernetes.io/instance: hello-rocket
annotations:
seccomp.security.alpha.kubernetes.io/pod: "docker/default"
spec:
serviceAccountName: hello-rocket
automountServiceAccountToken: false
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app
operator: In
values:
- hello-rocket
topologyKey: "kubernetes.io/hostname"
securityContext:
runAsUser: 10000
runAsGroup: 10000
fsGroup: 10000
seccompProfile:
type: RuntimeDefault
containers:
- name: hello-rocket
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_BIND_SERVICE
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
image: "dev-local-registry:5000/hello-rocket:latest"
imagePullPolicy: Always
envFrom:
- configMapRef:
name: hello-rocket-config
ports:
- name: http
containerPort: 8000
protocol: TCP
livenessProbe:
httpGet:
path: /healthz
port: http
readinessProbe:
httpGet:
path: /healthz
port: http
resources:
limits:
cpu: 100m
memory: 32M
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: hello-rocket
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: "letsencrypt-prod"
certmanager.k8s.io/acme-challenge-type: http0
spec:
rules:
- host: hello-rocket.my-domain.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: hello-rocket
port:
number: 8000
tls:
- hosts:
- hello-rocket.my-domain.com
secretName: hello-rocket
apiVersion: v1
kind: Namespace
metadata:
labels:
name: my-namespace
name: my-namespace
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: hello-rocket
spec:
minAvailable: 1
selector:
matchLabels:
app.kubernetes.io/name: hello-rocket
app.kubernetes.io/instance: hello-rocket
apiVersion: v1
kind: Service
metadata:
name: hello-rocket
labels:
app.kubernetes.io/name: hello-rocket
app.kubernetes.io/instance: hello-rocket
app.kubernetes.io/version: "0.1.0"
spec:
type: ClusterIP
ports:
- port: 8000
targetPort: http
protocol: TCP
name: http
selector:
app.kubernetes.io/name: hello-rocket
app.kubernetes.io/instance: hello-rocket
apiVersion: v1 kind: ServiceAccount metadata: name: hello-rocket automountServiceAccountToken: false
kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
name: aws-storageclass-encrypted
parameters:
type: gp2
fsType: ext4
encrypted: "true"
provisioner: kubernetes.io/aws-ebs
volumeBindingMode: WaitForFirstConsumer
allowedTopologies:
- matchLabelExpressions:
- key: failure-domain.beta.kubernetes.io/zone
values:
- eu-west-1a
- eu-west-1b
- eu-west-1c
apiVersion: v1
kind: PersistentVolume
metadata:
name: hello-rocket
spec:
capacity:
storage: 64Gi
volumeMode: Filesystem
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
storageClassName: aws-storageclass-efs
csi:
driver: efs.csi.aws.com
volumeHandle: fs-0c1babcdef12345
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: hello-rocket
spec:
accessModes:
- ReadWriteOnce
storageClassName: aws-storageclass-efs
resources:
requests:
storage: 64Gi
kind: Kustomization bases: - /directory/with/your/apps namespace: staging commonLabels: environment: staging configMapGenerator: - name: frontend-config literals: - PLACEHOLDER=dummy - name: backend-config literals: - PLACEHOLDER=dummy - name: myapi-config literals: - PLACEHOLDER=dummy resources: - namespace.yaml - ingress.yaml patchesStrategicMerge: - patch.yaml generatorOptions: disableNameSuffixHash: true images: - name: AWS_ACCOUNT_ID.dkr.ecr.eu-west-1.amazonaws.com/frontend newTag: staging - name: AWS_ACCOUNT_ID.dkr.ecr.eu-west-1.amazonaws.com/backend newTag: staging - name: AWS_ACCOUNT_ID.dkr.ecr.eu-west-1.amazonaws.com/myapi newTag: staging
TO BE DONE
Deploy a kubernetes cluster called `dev-local` with private registry:
k3d cluster create dev-local --registry-create dev-local-registry
Install the AWS CLI command line:
Configure aws-cli with `aws configure`:
aws configure AWS Access Key ID [None]: AKIAIDN27EXAMPLE AWS Secret Access Key [None]: wJasfvEfbf/K7MDENG/bPiCYEXAMPLEKEY Default region name [None]: eu-west-1 Default output format [None]: json
Files generated by the CLI for a default profile configured with `aws configure` looks similar to the following:
File: ~/.aws/credentials
[default] aws_access_key_id=AKIAIDN27EXAMPLE aws_secret_access_key=wJasfvEfbf/K7MDENG/bPiCYEXAMPLEKEY
File: ~/.aws/config
[default] region=eu-west-1 output=json
- Override the current configuration by exporting the `KUBECONFIG` environment variables:
export KUBECONFIG=~/.kube/dummy-project.yaml
Note that this overriding process is not persistent in your workstation and your session will use `~/.kube/config` as default configuration for all the clusters.
- Use `gcr.io/google-containers/echoserver:1.10` as dummy image in order to mimic all the microservices
- Create, get or update kubeconfig from AWS:
aws eks --region eu-west-1 update-kubeconfig --name cluster_name
- Deploy new image using kubectl by using `$IMAGE_NAME` as the docker (app) image and `$KUBE_NAMESPACE` as the kubernetes namespace target:
kubectl set image deployment/api api=$IMAGE_NAME -n $KUBE_NAMESPACE
- URL to access to a pod postgresql in `staging` from another namespace:
[service-name.namespace.svc.cluster-domain] postgresql.staging.svc.cluster.local
Top 20 Dockerfile best practices