I am studying for the Kubernetes certification CKA. These are some notes:<\/p>\n\n\n\n
Master node<\/strong>: manage, plan, schedule and monitor. These are the main components:<\/p>\n\n\n\n Worker node<\/strong>: host apps as containers. Main components:<\/p>\n\n\n\n It is a distributed key-value store (database). TCP 2379<\/strong>. Stores info about nodes, pods, configs, secrets, accounts, roles, bindings etc. Everything related to the cluster.<\/p>\n\n\n\n Basic commands:<\/p>\n\n\n\n Install Manual:<\/p>\n\n\n\n Install via kubeadm already includes etcd:<\/p>\n\n\n\n etcd can be set up as a cluster, but this is for another section.<\/p>\n\n\n\n You can install a binary (like etcd) or use it via kubeadm.<\/p>\n\n\n\n It has many options and it defines certs for all connections<\/strong><\/em>!!!<\/p>\n\n\n\n You can install a binary (like etcd) or use kubeadm. It gets all the info via the API server. Watch status of pods, remediate situations. Parts:<\/p>\n\n\n\n Decides which pod goes to which node. You can install a binary or via kubeadm.<\/p>\n\n\n\n It is like the “captain” of the “ship” (node). Communicates with the kube-cluster via the api-server.<\/p>\n\n\n\n Important<\/strong>: kubeadm doesnt install kubelet<\/em><\/p>\n\n\n\n In a cluster, each pod can reach any other pod -> you need a pod network!<\/p>\n\n\n\n It runs in each node. Creates rules in each node (iptables) to use “services”<\/p>\n\n\n\n It is the smallest kube object.<\/p>\n\n\n\n 1 pod =~ 1 container + help container<\/p>\n\n\n\n It can be created via a “kubectl run” or via yaml<\/strong> file.<\/p>\n\n\n\n Commands:<\/p>\n\n\n\n It always<\/strong> contains “apiVersion”, “kind”, “metadata” and “spec”.<\/p>\n\n\n\n Object in charge of monitoring pods, HA, loadbalancing, scaling. It is a replacement of “replication-controller”. Inside the spec.tempate you “cope\/paste” the pod definition.<\/em><\/p>\n\n\n\n The important part is “selector.matchLabels<\/strong>” where you decide what pods are going to be managed by this replicaset<\/p>\n\n\n\n Example:<\/p>\n\n\n\n Commands:<\/p>\n\n\n\n It is an object that creates a pod + replicaset. It provides the upgrade (rolling updates) feature to the pods.<\/p>\n\n\n\n File is identical as a RS, only changes the “kind”<\/p>\n\n\n\n Commands:<\/p>\n\n\n\n It is a way to create different environments in the cluster. ie: production, testing, features, etc. You can control the resource allocations for the “ns”<\/p>\n\n\n\n By default you have 3 namespaces:<\/p>\n\n\n\n The “ns” is used in DNS<\/strong>.<\/p>\n\n\n\n Keep in mind that POD DNS names <\/strong>are just the “IP” in “-” format.<\/p>\n\n\n\n You can add “namespace: dev” into the “metadata” section of yaml files. By default, namespace=default.<\/p>\n\n\n\n Create “ns”:<\/p>\n\n\n\n Change “ns” in your context if you dont want to type it in each kubectl command:<\/p>\n\n\n\n See all objects in all ns:<\/p>\n\n\n\n You can state the resources (cpu, memory, etc) for a pod.<\/p>\n\n\n\n Example:<\/p>\n\n\n\n Commands:<\/p>\n\n\n\n It is an object. It connects pods to external users or other pods.<\/p>\n\n\n\n Types:<\/p>\n\n\n\n Like a virtual server. SessionAffinity: yes. Random Algorithm for scheduling. <\/p>\n\n\n\n Important parts:<\/p>\n\n\n\n Example:<\/p>\n\n\n\n The important<\/strong> bits are the “spec.ports<\/strong>” and “spec.selector<\/strong>” definitions. The “selector” is used to match on labels from pods where we want to apply this service.<\/p>\n\n\n\n Commands:<\/p>\n\n\n\n Example of creating pod and service imperative way:<\/p>\n\n\n\n It is used for access to several pods (VIP). This is the default service type.<\/p>\n\n\n\n Example:<\/p>\n\n\n\n Commands:<\/p>\n\n\n\n Whatever the service you use, you want to be sure it is in use, you can check that seeing if the service is bound<\/strong> to a node. That is configured by “selector<\/strong>” but to confirm that is correct, use the below command. You must have endpoints to proof your service is attached to some pods.<\/p>\n\n\n\n Based on this “diagram”:<\/p>\n\n\n\n These are the steps we need to define:<\/p>\n\n\n\n imperative<\/strong>: how to do things (step by step)<\/p>\n\n\n\n declarative<\/strong>: just what to do (no how to do) –> infra as code \/ ansible, puppet, terraform, etc<\/p>\n\n\n\n There are three type of files:<\/p>\n\n\n\n “kubectl apply” compares the three files above to find our what to add\/delete.<\/p>\n\n\n\n Check you have a scheduler running:<\/p>\n\n\n\n how to filter via cli:<\/p>\n\n\n\n In Replicasets\/Services, the labels need to match!<\/p>\n\n\n\n set restrictions to check what pods can go to nodes. It doesn’t tell the POD where to go!!!<\/p>\n\n\n\n Commands:<\/p>\n\n\n\n *tain-effect = what happens to PODS that DO NOT Tolerate this taint? Three types:<\/p>\n\n\n\n Apply toleration in pod, in yaml, it is defined under “spec”:<\/p>\n\n\n\n In general, the master node never gets pods (only the static pods for control-plane)<\/p>\n\n\n\n tell pods where to go (different for taint\/toleration)<\/p>\n\n\n\n First, apply on a node a label:<\/p>\n\n\n\n Second, apply on pod under “spec” the entry “nodeSelector”:<\/p>\n\n\n\n extension of “node selector” with “and” “or” logic ==> mode complex !!!!<\/p>\n\n\n\n DuringScheduling: pod is being created<\/p>\n\n\n\n Pod needs by default: cpu(0.5) men(256m) and disk<\/p>\n\n\n\n By default: max cpu = 1 \/\/ max mem = 512Mi<\/p>\n\n\n\n Important<\/strong> regarding going over the limit:<\/p>\n\n\n\n Example:<\/p>\n\n\n\n It is like a replicaset (only kind changes). run 1 pod in each node: ie monitoring, logs viewer, networking (weave-net), kube-proxy!!!<\/p>\n\n\n\n It uses NodeAffinity and default scheduler to schedule pods in nodes.<\/p>\n\n\n\n kubelet in a node, can create pods using files in \/etc\/kubernetes\/manifests automatically. But<\/strong>, it can’t do replicasets, deployments, etc<\/p>\n\n\n\n The path for the static pods folder is defined in kubelet config file<\/p>\n\n\n\n You can check with”docker ps -a” in master for docker images running the static pods.<\/p>\n\n\n\n Static pods is mainly used by master nodes for installing pods related to the kube cluster (control-plane: controller, apiserver, etcd, ..)<\/p>\n\n\n\n Important<\/strong>: <\/p>\n\n\n\n Comparation Static-Pod vs Daemon-Set<\/p>\n\n\n\n You can write you own scheduler.<\/p>\n\n\n\n How to create it:<\/p>\n\n\n\n Assign new scheduler to pod:<\/p>\n\n\n\n How to see logs:<\/p>\n\n\n\n Monitoring cluster components. There is nothing built-in (Oct 2018).<\/p>\n\n\n\n one per cluster. data kept in memory. kubelet (via cAdvisor) sends data to metric-server.<\/p>\n\n\n\n rollout -> a new revision. This is the reason you create “deployment” objects.<\/p>\n\n\n\n There are two strategies:<\/p>\n\n\n\n How to apply a new version?<\/p>\n\n\n\n How to check status of the rollout<\/p>\n\n\n\n From a “Dockerfile”:<\/p>\n\n\n\n With the docker image created above, you can create a container like this:<\/p>\n\n\n\n So now, kubernetes yaml file:<\/p>\n\n\n\n You define them inside the spec.containers.container section:<\/p>\n\n\n\n Defining env var can be tedious, so config maps is the way to manage them a bit better. You dont have to define in each pod all env vars… just one entry now.<\/p>\n\n\n\n First, create configmap object:<\/p>\n\n\n\n Apply configmap to a container in three ways:<\/p>\n\n\n\n Check “explain” for more info:<\/p>\n\n\n\n This is encode in base64 so not really secure. It just avoid to have sensitive info in clear text…<\/p>\n\n\n\n A secret is only sent to a node if a pod on that node requires it. How to create secrets:<\/p>\n\n\n\n You can apply secrets in three ways:<\/p>\n\n\n\n Scenarios where your app needs an agent, ie: web server + log agent<\/p>\n\n\n\n You use an init container when you want to setup something before the other containers are created. Once the initcontainers complete their job, the other containers are created.<\/p>\n\n\n\n An initContainer is configured in a pod like all other containers, except that it is specified inside a initContainers section<\/p>\n\n\n\n You can configure multiple such initContainers as well, like how we did for multi-pod containers. In that case each init container is run one at a time in sequential order.<\/p>\n\n\n\n1.2- ETCD<\/h2>\n\n\n\n
client: .\/etcdctl set key1 value1\n .\/etcdctl get key1 <\/pre>\n\n\n\n
1- wget \"github binary path to etc\"\n2- setup config file: important \"--advertise-client-urls: IP:2379\"\n a lot of certs needed!!!<\/pre>\n\n\n\n
$ kubectl get pods -n kube-system | grep etcd\n\n\/\/ get all keys from etcd\n$ kubectl exec etcd-master -n kube-system etcdctl get \/ --prefix -keys-only<\/pre>\n\n\n\n
1.3- Kube API Server<\/h2>\n\n\n\n
1.4- Kube Controller-Manager<\/h2>\n\n\n\n
1.5- Kube Scheduler<\/h2>\n\n\n\n
1.6- Kubelet<\/h2>\n\n\n\n
1.7- Kube-Proxy<\/h2>\n\n\n\n
1.8- POD<\/h2>\n\n\n\n
apiVersion: v1\nkind: Pod\nmetadata:\n name: postgres-pod\n labels:\n name: postgres-pod\n app: demo-voting-app\nspec:\n containers:\n - name: postgres\n image: postgres\n ports:\n - containerPort: 5432\n env:\n - name: POSTGRES_USER\n value: \"postgres\"\n - name: POSTGRES_PASSWORD\n value: \"postgres\"<\/code><\/pre>\n\n\n\n$ kubectl create -f my-pod.yaml\n$ kubectl get pods\n$ kubectl describe pod postgres<\/pre>\n\n\n\n
1.9 ReplicaSet<\/h2>\n\n\n\n
apiVersion: apps\/v1\nkind: ReplicaSet\nmetadata:\n name: my-rs\n labels:\n app: myapp\nspec:\n replicas: 3\n selector: \/\/ match pods created before the RS - main difference between RS \n and RC\n matchLabels:\n app: myapp --> find labels from pods matching this\n template:\n metadata:\n name: myapp-pod\n labels:\n app: myapp\n spec:\n containers:\n - name: nginx-controller\n image: nginx<\/code><\/pre>\n\n\n\n$ kubectl create -f my-rs.yaml\n$ kubectl get replicaset\n$ kubectl scale --replicas=4 replicaset my-rs\n$ kubectl replace -f my-rs.yaml<\/pre>\n\n\n\n
1.10- Deployments<\/h2>\n\n\n\n
apiVersion: apps\/v1\nkind: Deployment\nmetadata:\n name: my-deployment\n labels:\n app: myapp\nspec:\n replicas: 3\n selector: \/\/ match pods created before the RS - main difference between RS \n and RC\n matchLabels:\n app: myapp --> find labesl from pods matching this\n template:\n metadata:\n name: myapp-pod\n labels:\n app: myapp\n spec:\n containers:\n - name: nginx-controller\n image: nginx<\/code><\/pre>\n\n\n\n$ kubectl create -f my-rs.yaml\n$ kubectl get deployments\n$ kubectl get replicaset\n$ kubectl get pods<\/pre>\n\n\n\n
1.11- Namespace<\/h2>\n\n\n\n
db-service.dev.svc.cluster.local\n--------- --- --- -----------\nsvc name ns type domain(default)\n\n10-10-1-3.default.pod.cluster-local\n--------- --- --- -----------\npod IP ns type domain(default)<\/pre>\n\n\n\n
$ kubectl get pods --namespace=xx (by default is used \"default\" namespace)<\/pre>\n\n\n\n
namespace-dev.yaml\n---\napiVersion: v1\nkind: Namespace\nmetadata:\nname: dev\n\n$ kubectl create -f namespace-dev.yaml\nor\n\n$ kubectl create namespace dev<\/pre>\n\n\n\n
$ kubectl config set-context $(kubectl config current-context) -n dev\n<\/pre>\n\n\n\n
$ kubectl get pods --all-namespaces\n\n$ kubectl get ns --no-headers | wc -l<\/pre>\n\n\n\n
1.12- Resource Quotas<\/h2>\n\n\n\n
apiVersion: v1\nkind: ResourceQuota\nmetadata:\n name: compute-quota\n namespace: dev\nspec:\n hard:\n pods: \"10\"\n requests.cpu: \"4\"\n requests.memory: 5Gi\n limits.cpu: \"10\"\n limits.memory: 10Gi<\/code><\/pre>\n\n\n\n$ kubectl create -f compute-quota.yaml<\/pre>\n\n\n\n
1.13 Services<\/h2>\n\n\n\n
1.13.1 NodePort<\/h3>\n\n\n\n
apiVersion: v1\nkind: Service\nmetadata:\n name: mypapp-service\nspec:\n type: NodePort\n ports:\n - targetPort: 80\n port: 80\n nodePort: 30080 (range: 30000-32767)\n selector:\n app: myapp ---|\n type: front-end ---|-> matches pods !!!!\n<\/code><\/pre>\n\n\n\n\/\/ declarative\n$ kubectl create -f service-definition.yml\n$ kubectl get services\n\n\/\/ imperative\n$ kubectl expose deployment simple-webapp-deployment --name=webapp-service --target-port=8080 --type=NodePort \\\n--dry-run=client -o yaml > svc.yaml --> create YAML !!!<\/pre>\n\n\n\n
$ kubectl run redis --image=redis:alpine --labels=tier=db\n$ kubectl expose pod redis --name redis-service --port 7379 --target-port 6379<\/pre>\n\n\n\n
1.13.2 ClusterIP<\/h3>\n\n\n\n
apiVersion: v1\nkind: Service\nmetadata:\n name: back-end\nspec:\n type: ClusterIP \/\/ (default)\n ports:\n - targetPort: 80\n port: 80\n selector:\n app: myapp\n type: back-end<\/code><\/pre>\n\n\n\n$ kubectl create -f service-definition.yml\n$ kubectl get services<\/pre>\n\n\n\n
1.13.3 Service Bound<\/h3>\n\n\n\n
$ kubectl get service XXX | grep -i endpoint<\/pre>\n\n\n\n
1.13.4 Microservice Architecture Example<\/h3>\n\n\n\n
voting-app result-app\n (python) (nodejs)\n |(1) ^ (4)\n v |\nin-memoryDB db\n (redis) (postgresql)\n ^ (2) ^ (3)\n | |\n ------- -------\n | |\n worker\n (.net)<\/code><\/pre>\n\n\n\n1- deploy containers -> deploy PODs (deployment)\n2- enable connectivity -> create service clusterIP for redis\n create service clusterIP for postgres\n3- external access -> create service NodePort for voting\n create service NodePort for result<\/pre>\n\n\n\n
1.14- Imperative vs Declarative<\/h2>\n\n\n\n
$ kubectl run\/create\/expose\/edit\/scale\/set \u2026\n$ kubectl replace -f x.yaml !!! x.yaml has been updated<\/pre>\n\n\n\n
$ kublectl apply -f x.yaml <--- it creates\/updates<\/pre>\n\n\n\n
1.15 – kubectl and options<\/h2>\n\n\n\n
--dry-run<\/strong>: By default as soon as the command is run, the resource will be created. If you simply want to test your command , use the --dry-run=client option. This will not create the resource, instead, tell you weather the resource can be created and if your command is right.\n\n-o yaml<\/strong>: This will output the resource definition in YAML format on screen.\n\n$ kubectl explain<\/strong> pod --recursive<\/strong> ==> all options available\n\n$ kubectl logs<\/strong> [-f] POD_NAME [CONTAINER_NAME]\n\n$ kubectl -n prod exec -it PODNAME cat \/log\/app.log\n$ kubectl -n prod logs PODNAME<\/pre>\n\n\n\n
1.16- Kubectl Apply<\/h2>\n\n\n\n
2- SCHEDULING<\/h1>\n\n\n\n
2.1- Manual Scheduling<\/h2>\n\n\n\n
$ kubectl -n kube-system get pods | grep -i scheduler<\/pre>\n\n\n\n
2.2 Labels and Selectors<\/h2>\n\n\n\n
$ kubectl get pods --selector key=value --selector k1=v1\n$ kubectl get pods --selector key=value,k1=v1\n$ kubectl get pods -l key=value -l k1=v1<\/pre>\n\n\n\n
--\nspec:\n replicas: 3\n selector:\n matchLabels:\n app:App1 <----\n template: |\n metadata: |-- need to match !!!\n labels: |\n app:App1 <---<\/code><\/pre>\n\n\n\n2.3 Taints and Tolerations<\/h2>\n\n\n\n
$ kubectl taint nodes NODE_NAME key=value:taint-effect\n$ kubectl taint nodes node1 app=blue:NoSchedule <== apply\n$ kubectl taint nodes node1 app=blue:NoSchedule-<\/strong> <== remove(-) !!!\n$ kubectl taint nodes node1 <== display taints<\/pre>\n\n\n\n
- NoSchedule:\n- PreferNoSchedule: will try to avoid the pod in the node, but not guarantee\n- NoExecute: new pods will not be installed here, and current pods will exit if they dont tolerate the new taint. The node could have already pods before applying the taint\u2026<\/pre>\n\n\n\n
spec:\n tolerations:\n - key: \"app\"\n operator: \"Equal\"\n value: \"blue\"\n effect: \"NoSchedule\"<\/code><\/pre>\n\n\n\n$ kubectl describe node X | grep -i taint<\/pre>\n\n\n\n
2.4 Node Selector<\/h2>\n\n\n\n
$ kubectl label nodes NODE key=value\n$ kubectl label nodes NODE size=Large<\/pre>\n\n\n\n
...\nspec:\n nodeSelector:\n size: Large<\/pre>\n\n\n\n
2.5 Node Affinity<\/h2>\n\n\n\n
apply on pod:#\n....\nspec:\n affinity:\n nodeAffinity:\n requiredDuringSchedulingIgnoredDuringExecution: or \n preferredDuringSchedulingIgnoredDuringExecution:\n nodeSelectorTerms:\n - matchExpressions:\n - key: size\n operator: In || NotIn || Exists\n values:\n - Large Small\n - Medium<\/code><\/pre>\n\n\n\n2.6 Resource Limits<\/h2>\n\n\n\n
if pod uses more cpu<\/strong> than limit -> throttle<\/strong>\n mem<\/strong> -> terminate<\/strong> (OOM)<\/pre>\n\n\n\n
pod\n---\nspec:\n containers:\n resources:\n requests:\n memory: \"1Gi\"\n cpu: 1\n limits:\n memory: \"2Gi\"\n cpu: 2<\/code><\/pre>\n\n\n\n2.7 DaemonSets<\/h2>\n\n\n\n
$ kubectl get daemonset<\/pre>\n\n\n\n
if you add<\/strong> a node, the daemonset creates<\/strong> that pod\n delete<\/strong> deletes<\/strong><\/pre>\n\n\n\n
apiVersion: apps\/v1\nkind: DaemonSet\nmetadata:\n name: monitoring-daemon\nspec:\n selector:\n matchLabels:\n app: monitoring-agent\n template:\n metadata:\n labels:\n app: monitoring-agent\n spec:\n containers:\n - name: monitoring-agent\n image: monitoring-agent<\/code><\/pre>\n\n\n\n2.8 Static PODs<\/h2>\n\n\n\n
kubelet.service <- config file\n...\n--config=kubeconfig.yaml \\ or\n--pod-manifest-path=\/etc\/kubernetes\/manifests\n\n\nkubeconfig.yaml\n---\nstaticPodPath: \/etc\/kubernetes\/manifests<\/pre>\n\n\n\n
static pod vs daemon-set\n---------- -----------\n- created by kubelet - created by kube-api\n- deploy control-plane componets - deploy monitoring, logging\n as static pods agents on nodes\n- ignored by kube-scheduler - ignored by kube-scheduler<\/code><\/pre>\n\n\n\n2.9 Multiple Schedulers<\/h2>\n\n\n\n
kube-scheduler.service\n--scheduler-name= custom-scheduler\n\n\/etc\/kubernetes\/manifests\/kube-scheduler.yam --> copy and modify\n--- (a scheduler is a pod!!!)\napiVersion: v1\nkind: Pod\nmetadata:\n name: my-custom-scheduler\n namespace: kube-system\nspec:\n containers:\n - command:\n - kube-scheduler\n - --address=127.0.0.1\n - --kubeconfig=\/etc\/kubernetes\/scheduler.conf\n - --leader-elect=false\n - --scheduler-name=my-custom-scheduler\n - --lock-object-name=my-custom-scheduler\n image: xxx\n name: kube-scheduler\n ports:\n - containerPort: XXX<\/code><\/pre>\n\n\n\n---\napiVersion: v1\nkind: Pod\nmetadata:\n name: nginx\nspec:\n containers:\n - image: nginx\n name: nginx\n schedulerName: my-custom-scheduler<\/code><\/pre>\n\n\n\n$ kubectl get events ---> view scheduler logs\n$ kubectl logs my-custom-scheduler -n kube-system<\/pre>\n\n\n\n
3- LOGGING AND MONITORING<\/h1>\n\n\n\n
3.1- metrics server<\/h2>\n\n\n\n
install: > minukube addons enable metrics-server \/\/or\n other envs: git clone \"github path to binary\"\n kubectl create -f deploy\/1.8+\/\n\nview: > kubectl top node\/pod<\/pre>\n\n\n\n
4- APPLICATION LIFECYCLE MANAGEMENT<\/h1>\n\n\n\n
4.1- Rolling updates \/ Rollout<\/h2>\n\n\n\n
1) Declarative: make change in deployment yaml file\nkubectl apply -f x.yaml (recommended)\n\nor\n\n2) Imperative: \nkubectl create deployment nginx-deploy --image=nginx:1.16\nkubectl set image deployment\/nginx-deploy nginx=nginx:1.17 --record<\/pre>\n\n\n\n
status: $ kubectl rollout status deployment\/NAME\nhistory: $ kubectl rollout history deployment\/NAME\nrollback: $ kubectl rollout undo deployment\/NAME\n<\/pre>\n\n\n\n
4.2- Application commands in Docker and Kube<\/h2>\n\n\n\n
---\nFROM Ubuntu\nENTRYPOINT [\"sleep\"] --> cli commands are appended to entrypoint\nCMD [\"5\"] --> if you dont pass any value in \"docker run ..\" it uses by \n default 5.\n---<\/pre>\n\n\n\n
$ docker run --name ubuntu-sleeper ubuntu-sleeper 10<\/pre>\n\n\n\n
apiVersion: v1\nkind: Pod\nmetadata:\n name: ubuntu-sleeper-pod\nspec:\n containers:\n - name: ubuntu-sleeper\n image: ubuntu-sleeper\n command: [\"sleep\",\"10\"] --> This overrides ENTRYPOINT in docker\n args: [\"10\"] --> This overrides CMD [x] in docker\n [\"--color=blue\"]\n<\/code><\/pre>\n\n\n\n4.3- Environment variables<\/h2>\n\n\n\n
spec:\n containers:\n - name: x\n image: x\n ports:\n - containerPort: x\n env:\n - name: APP_COLOR\n value: pink<\/code><\/pre>\n\n\n\n4.4- ConfigMap<\/h2>\n\n\n\n
imperative<\/strong> $ kubectl create configmap NAME \\\n --from-literal=KEY=VALUE \\\n --from-literal=KEY2=VALUE2 \\\n or\n --from-file=FILE_NAME\nFILE_NAME\nkey1: val1\nkey2: val2\n\ndeclarative<\/strong> $ kubectl create -f cm.yaml\n $ kubectl get configmaps\n\ncat app-config\n---\napiVersion: v1\nkind: ConfigMap\nmetadata:\nname: app-config\ndata:\nKEY1: VAL1\nKEY2: VAL2<\/pre>\n\n\n\n
1) Via \"envFrom\": all vars\n\nspec:\n containers:\n - name: xxx\n envFrom: \/\/ all values\n - configMapRef:\n name: app-config\n\n2) Via \"env\", to import only specific vars\n\nspec:\n containers:\n - name: x\n image: x\n ports:\n - containerPort: x\n env:\n - name: APP_COLOR -- get one var from a configmap, dont import everything\n valueFrom:\n configMapKeyRef:\n name: app-config\n key: APP_COLOR\n\n3) Volume:\n\nvolumes:\n- name: app-config-volume\n configMap:\n name: app-config\n<\/code><\/pre>\n\n\n\n$ kubectl explain pods --recursive | grep envFrom -A3<\/pre>\n\n\n\n
4.5- Secrets<\/h2>\n\n\n\n
Kubelet stores the secret into a tmpfs so that the secret is not written to disk storage. Once the Pod that depends on the secret is deleted, kubelet will delete its local copy of the secret data as well:
https:\/\/kubernetes.io\/docs\/concepts\/configuration\/secret\/#risks<\/p>\n\n\n\nimperative<\/strong> $ kubectl create secret generic NAME \\\n --from-literal=KEY=VAL \\\n --from-literal=KEY2=VAL2 \n or\n --from-file=FILE\ncat FILE\nDB_Pass: password\n\ndeclarative<\/strong> $ kubectl create -f secret.yaml\n\ncat secret.yaml\n---\napiVersion: v1\nkind: Secret\nmetadata:\n name: app-secret\ndata:\n DB_Pass: HASH <---- $ echo -n 'password' | base64 \/\/ ENCODE !!!!\n $ echo -n 'HASH' | base64 --decode \/\/ DECODE !!!!<\/pre>\n\n\n\n
1) as \"envFrom\" to import all params from secret object\n\nspec:\n containers:\n - name: xxx \n envFrom: \n - secretRef:\n name: app-secret\n\n2) Via \"env\" to declare only one secret param\n\nspec:\n containers:\n - name: x\n image: x\n env:\n name: APP_COLOR\n valueFrom:\n secretKeyRef:\n name: app-secret\n key: DB_password\n\n3) Volumes:\n\nspec:\n containers:\n - command: [\"sleep\", \"4800\"]\n image: busybox\n name: secret-admin\n volumeMounts:\n - name: secret-volume\n mountPath: \"\/etc\/secret-volume\"\n readOnly: true\n volumes:\n - name: secret-volume\n secret:\n secretName: app-secret --> each key from the secret file is created\n as a file in the volume.\n The content of the file is the secret.\n\n\n$ ls -ltr \/etc\/secret-volume\nDB_Host\nDB_User\nDB_Password<\/pre>\n\n\n\n
4.6- Multi-container Pods<\/h2>\n\n\n\n
apiVersion: v1\nkind: Pod\nmetadata:\n name: simple-webapp\n labels:\n name: simple-webapp\nspec:\n containers:\n - name: simple-webapp\n image: simple-webapp\n ports:\n - containerPort: 8080\n - name: log-agent\n image: log-agent<\/code><\/pre>\n\n\n\n4.7- Init Container<\/h2>\n\n\n\n