💾 Archived View for ibannieto.info › stuff › kubernetes.gmi captured on 2023-09-08 at 15:59:43. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2023-03-20)

-=-=-=-=-=-=-

ibannieto's capsule

Home

Kubernetes

Requirements

- docker is required in order to run and build docker images (like your apps or a k3s cluster)

- kubectl (latest version) is required for kubernetes management from your computer

- aws cli installed and configured in your computer (only for AWS)

- Access to a kubernetes cluster: docker-desktop, minikube, k3s or in the cloud with AWS

- k3d / k3s is for a local development using docker only (very recommended!)

- make (GNU make) installed in your computer

- helm (v3) is required for installing addons

- kubens and kubectx strongly recommended in order to switch cluster contexts and namespaces

- kustomize is not required, but recommended for build kustomize projects like this

- kubeval is not required, but recommended for validating kubernetes manifests against schemas

- kube-score is not required, but recommended for developing and validating kubernetes manifests

ConfigMap

apiVersion: v1
kind: ConfigMap
metadata:
  name: hello-rocket-config
data:
  ADDR: "0.0.0.0"
  PORT: "8000"
  LOG_LEVEL: "debug"

Deployment

apiVersion: apps/v1
kind: Deployment
metadata:
  name: hello-rocket
  labels:
    app.kubernetes.io/name: hello-rocket
    app.kubernetes.io/instance: hello-rocket
    app.kubernetes.io/version: "0.1.0"
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: hello-rocket
      app.kubernetes.io/instance: hello-rocket
  template:
    metadata:
      labels:
        app.kubernetes.io/name: hello-rocket
        app.kubernetes.io/instance: hello-rocket
      annotations:
        seccomp.security.alpha.kubernetes.io/pod: "docker/default"
    spec:
      serviceAccountName: hello-rocket
      automountServiceAccountToken: false
      affinity:
        podAntiAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
          - labelSelector:
              matchExpressions:
              - key: app
                operator: In
                values:
                - hello-rocket
            topologyKey: "kubernetes.io/hostname"
      securityContext:
        runAsUser: 10000
        runAsGroup: 10000
        fsGroup: 10000
        seccompProfile:
          type: RuntimeDefault
      containers:
        - name: hello-rocket
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              add:
              - NET_BIND_SERVICE
              drop:
              - ALL
            readOnlyRootFilesystem: true
            runAsNonRoot: true
            runAsUser: 1000
          image: "dev-local-registry:5000/hello-rocket:latest"
          imagePullPolicy: Always
          envFrom:
          - configMapRef:
              name: hello-rocket-config
          ports:
            - name: http
              containerPort: 8000
              protocol: TCP
          livenessProbe:
            httpGet:
              path: /healthz
              port: http
          readinessProbe:
            httpGet:
              path: /healthz
              port: http
          resources:
            limits:
              cpu: 100m
              memory: 32M

Ingress

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: hello-rocket
  annotations:
    kubernetes.io/ingress.class: nginx
    cert-manager.io/cluster-issuer: "letsencrypt-prod"
    certmanager.k8s.io/acme-challenge-type: http0
spec:
  rules:
  - host: hello-rocket.my-domain.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: hello-rocket
            port:
              number: 8000
  tls:
    - hosts:
        - hello-rocket.my-domain.com
      secretName: hello-rocket

Namespaces

apiVersion: v1
kind: Namespace
metadata:
  labels:
    name: my-namespace
  name: my-namespace

PodDisruptionBudget

apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
  name: hello-rocket
spec:
  minAvailable: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: hello-rocket
      app.kubernetes.io/instance: hello-rocket

Service

apiVersion: v1
kind: Service
metadata:
  name: hello-rocket
  labels:
    app.kubernetes.io/name: hello-rocket
    app.kubernetes.io/instance: hello-rocket
    app.kubernetes.io/version: "0.1.0"
spec:
  type: ClusterIP
  ports:
    - port: 8000
      targetPort: http
      protocol: TCP
      name: http
  selector:
    app.kubernetes.io/name: hello-rocket
    app.kubernetes.io/instance: hello-rocket

ServiceAccount

apiVersion: v1
kind: ServiceAccount
metadata:
  name: hello-rocket
automountServiceAccountToken: false

StorageClass

kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
  name: aws-storageclass-encrypted
parameters:
  type: gp2
  fsType: ext4
  encrypted: "true"
provisioner: kubernetes.io/aws-ebs
volumeBindingMode: WaitForFirstConsumer
allowedTopologies:
- matchLabelExpressions:
  - key: failure-domain.beta.kubernetes.io/zone
    values:
    - eu-west-1a
    - eu-west-1b
    - eu-west-1c

Volumes

apiVersion: v1
kind: PersistentVolume
metadata:
  name: hello-rocket
spec:
  capacity:
    storage: 64Gi
  volumeMode: Filesystem
  accessModes:
    - ReadWriteOnce
  persistentVolumeReclaimPolicy: Retain
  storageClassName: aws-storageclass-efs
  csi:
    driver: efs.csi.aws.com
    volumeHandle: fs-0c1babcdef12345
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: hello-rocket
spec:
  accessModes:
    - ReadWriteOnce
  storageClassName: aws-storageclass-efs
  resources:
    requests:
      storage: 64Gi

Kustomize

kind: Kustomization
bases:
- /directory/with/your/apps

namespace: staging

commonLabels:
  environment: staging

configMapGenerator:
- name: frontend-config
  literals:
  - PLACEHOLDER=dummy
- name: backend-config
  literals:
  - PLACEHOLDER=dummy
- name: myapi-config
  literals:
  - PLACEHOLDER=dummy

resources:
- namespace.yaml
- ingress.yaml

patchesStrategicMerge:
- patch.yaml

generatorOptions:
  disableNameSuffixHash: true

images:
- name: AWS_ACCOUNT_ID.dkr.ecr.eu-west-1.amazonaws.com/frontend
  newTag: staging
- name: AWS_ACCOUNT_ID.dkr.ecr.eu-west-1.amazonaws.com/backend
  newTag: staging
- name: AWS_ACCOUNT_ID.dkr.ecr.eu-west-1.amazonaws.com/myapi
  newTag: staging

Helm

TO BE DONE

Local development environment with k3d

Deploy a kubernetes cluster called `dev-local` with private registry:

k3d cluster create dev-local --registry-create dev-local-registry

Working with Amazon Web Services (AWS)

Install the AWS CLI command line:

aws-cli installer

Configure aws-cli with `aws configure`:

aws configure
AWS Access Key ID [None]: AKIAIDN27EXAMPLE
AWS Secret Access Key [None]: wJasfvEfbf/K7MDENG/bPiCYEXAMPLEKEY
Default region name [None]: eu-west-1
Default output format [None]: json

Files generated by the CLI for a default profile configured with `aws configure` looks similar to the following:

File: ~/.aws/credentials

[default]
aws_access_key_id=AKIAIDN27EXAMPLE
aws_secret_access_key=wJasfvEfbf/K7MDENG/bPiCYEXAMPLEKEY

File: ~/.aws/config

[default]
region=eu-west-1
output=json

Tips

- Override the current configuration by exporting the `KUBECONFIG` environment variables:

export KUBECONFIG=~/.kube/dummy-project.yaml

Note that this overriding process is not persistent in your workstation and your session will use `~/.kube/config` as default configuration for all the clusters.

- Use `gcr.io/google-containers/echoserver:1.10` as dummy image in order to mimic all the microservices

- Create, get or update kubeconfig from AWS:

aws eks --region eu-west-1 update-kubeconfig --name cluster_name

- Deploy new image using kubectl by using `$IMAGE_NAME` as the docker (app) image and `$KUBE_NAMESPACE` as the kubernetes namespace target:

kubectl set image deployment/api api=$IMAGE_NAME -n $KUBE_NAMESPACE

- URL to access to a pod postgresql in `staging` from another namespace:

[service-name.namespace.svc.cluster-domain]

postgresql.staging.svc.cluster.local

Further information

k3d

k3s

kind

arkade

k9s

kubectx, kubens

popeye

starship

starship k8s config

ohmyzsh

ohmyzsh kubectl plugin

lens

kubectl

kubectl cheat sheet

kube-score

kustomize

kustomization reference

sops

vault in kubernetes

kubernetes the hard way

Super recommended lectures

Top 20 Dockerfile best practices

14 best practices for containerising your Java applications

Back