💾 Archived View for ibannieto.info › stuff › kubernetes.gmi captured on 2023-09-08 at 15:59:43. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2023-03-20)
-=-=-=-=-=-=-
- docker is required in order to run and build docker images (like your apps or a k3s cluster)
- kubectl (latest version) is required for kubernetes management from your computer
- aws cli installed and configured in your computer (only for AWS)
- Access to a kubernetes cluster: docker-desktop, minikube, k3s or in the cloud with AWS
- k3d / k3s is for a local development using docker only (very recommended!)
- make (GNU make) installed in your computer
- helm (v3) is required for installing addons
- kubens and kubectx strongly recommended in order to switch cluster contexts and namespaces
- kustomize is not required, but recommended for build kustomize projects like this
- kubeval is not required, but recommended for validating kubernetes manifests against schemas
- kube-score is not required, but recommended for developing and validating kubernetes manifests
apiVersion: v1 kind: ConfigMap metadata: name: hello-rocket-config data: ADDR: "0.0.0.0" PORT: "8000" LOG_LEVEL: "debug"
apiVersion: apps/v1 kind: Deployment metadata: name: hello-rocket labels: app.kubernetes.io/name: hello-rocket app.kubernetes.io/instance: hello-rocket app.kubernetes.io/version: "0.1.0" spec: replicas: 1 selector: matchLabels: app.kubernetes.io/name: hello-rocket app.kubernetes.io/instance: hello-rocket template: metadata: labels: app.kubernetes.io/name: hello-rocket app.kubernetes.io/instance: hello-rocket annotations: seccomp.security.alpha.kubernetes.io/pod: "docker/default" spec: serviceAccountName: hello-rocket automountServiceAccountToken: false affinity: podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchExpressions: - key: app operator: In values: - hello-rocket topologyKey: "kubernetes.io/hostname" securityContext: runAsUser: 10000 runAsGroup: 10000 fsGroup: 10000 seccompProfile: type: RuntimeDefault containers: - name: hello-rocket securityContext: allowPrivilegeEscalation: false capabilities: add: - NET_BIND_SERVICE drop: - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 1000 image: "dev-local-registry:5000/hello-rocket:latest" imagePullPolicy: Always envFrom: - configMapRef: name: hello-rocket-config ports: - name: http containerPort: 8000 protocol: TCP livenessProbe: httpGet: path: /healthz port: http readinessProbe: httpGet: path: /healthz port: http resources: limits: cpu: 100m memory: 32M
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: hello-rocket annotations: kubernetes.io/ingress.class: nginx cert-manager.io/cluster-issuer: "letsencrypt-prod" certmanager.k8s.io/acme-challenge-type: http0 spec: rules: - host: hello-rocket.my-domain.com http: paths: - path: / pathType: Prefix backend: service: name: hello-rocket port: number: 8000 tls: - hosts: - hello-rocket.my-domain.com secretName: hello-rocket
apiVersion: v1 kind: Namespace metadata: labels: name: my-namespace name: my-namespace
apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: hello-rocket spec: minAvailable: 1 selector: matchLabels: app.kubernetes.io/name: hello-rocket app.kubernetes.io/instance: hello-rocket
apiVersion: v1 kind: Service metadata: name: hello-rocket labels: app.kubernetes.io/name: hello-rocket app.kubernetes.io/instance: hello-rocket app.kubernetes.io/version: "0.1.0" spec: type: ClusterIP ports: - port: 8000 targetPort: http protocol: TCP name: http selector: app.kubernetes.io/name: hello-rocket app.kubernetes.io/instance: hello-rocket
apiVersion: v1 kind: ServiceAccount metadata: name: hello-rocket automountServiceAccountToken: false
kind: StorageClass apiVersion: storage.k8s.io/v1 metadata: name: aws-storageclass-encrypted parameters: type: gp2 fsType: ext4 encrypted: "true" provisioner: kubernetes.io/aws-ebs volumeBindingMode: WaitForFirstConsumer allowedTopologies: - matchLabelExpressions: - key: failure-domain.beta.kubernetes.io/zone values: - eu-west-1a - eu-west-1b - eu-west-1c
apiVersion: v1 kind: PersistentVolume metadata: name: hello-rocket spec: capacity: storage: 64Gi volumeMode: Filesystem accessModes: - ReadWriteOnce persistentVolumeReclaimPolicy: Retain storageClassName: aws-storageclass-efs csi: driver: efs.csi.aws.com volumeHandle: fs-0c1babcdef12345 --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: hello-rocket spec: accessModes: - ReadWriteOnce storageClassName: aws-storageclass-efs resources: requests: storage: 64Gi
kind: Kustomization bases: - /directory/with/your/apps namespace: staging commonLabels: environment: staging configMapGenerator: - name: frontend-config literals: - PLACEHOLDER=dummy - name: backend-config literals: - PLACEHOLDER=dummy - name: myapi-config literals: - PLACEHOLDER=dummy resources: - namespace.yaml - ingress.yaml patchesStrategicMerge: - patch.yaml generatorOptions: disableNameSuffixHash: true images: - name: AWS_ACCOUNT_ID.dkr.ecr.eu-west-1.amazonaws.com/frontend newTag: staging - name: AWS_ACCOUNT_ID.dkr.ecr.eu-west-1.amazonaws.com/backend newTag: staging - name: AWS_ACCOUNT_ID.dkr.ecr.eu-west-1.amazonaws.com/myapi newTag: staging
TO BE DONE
Deploy a kubernetes cluster called `dev-local` with private registry:
k3d cluster create dev-local --registry-create dev-local-registry
Install the AWS CLI command line:
Configure aws-cli with `aws configure`:
aws configure AWS Access Key ID [None]: AKIAIDN27EXAMPLE AWS Secret Access Key [None]: wJasfvEfbf/K7MDENG/bPiCYEXAMPLEKEY Default region name [None]: eu-west-1 Default output format [None]: json
Files generated by the CLI for a default profile configured with `aws configure` looks similar to the following:
File: ~/.aws/credentials
[default] aws_access_key_id=AKIAIDN27EXAMPLE aws_secret_access_key=wJasfvEfbf/K7MDENG/bPiCYEXAMPLEKEY
File: ~/.aws/config
[default] region=eu-west-1 output=json
- Override the current configuration by exporting the `KUBECONFIG` environment variables:
export KUBECONFIG=~/.kube/dummy-project.yaml
Note that this overriding process is not persistent in your workstation and your session will use `~/.kube/config` as default configuration for all the clusters.
- Use `gcr.io/google-containers/echoserver:1.10` as dummy image in order to mimic all the microservices
- Create, get or update kubeconfig from AWS:
aws eks --region eu-west-1 update-kubeconfig --name cluster_name
- Deploy new image using kubectl by using `$IMAGE_NAME` as the docker (app) image and `$KUBE_NAMESPACE` as the kubernetes namespace target:
kubectl set image deployment/api api=$IMAGE_NAME -n $KUBE_NAMESPACE
- URL to access to a pod postgresql in `staging` from another namespace:
[service-name.namespace.svc.cluster-domain] postgresql.staging.svc.cluster.local
Top 20 Dockerfile best practices