Tuesday, March 5, 2019

Kubernetes cheat sheet 2

Namespaces


kubectl get pods --namespace=dev
kubectl get pods --namespace=default

kubectl config set-context $(kubectl config current-context) --namespace=dev


ConfigMap


kubectl create configmap myconfigmap --from-literal=APP_COLOR=blue
kubectl create -f myconfigmap.yml

apiVersion: v1
kind: ConfigMap
metadata:
  name: myconfigmap
data:
  APP_COLOR: blue
  APP_MODE: prod

then you inject into a container definition using 
envFrom: 
- configMapRef
    name: myconfigmap

kubectl get configmaps
kubectl describe configmaps db-config


Secrets


kubectl create secret generic mysecret --from-literal=mykey=myvalue

apiVersion: v1
kind: Secret
metadata:
  name: app-secret
data:
  DBHost: mysql
  DBUser: root
  DBPassword: password

kubectl create -f secret_data.yaml


SECURITY

https://kubernetes.io/docs/tasks/configure-pod-container/security-context/

you can declare at Pod or container level:

spec:
  securityContext:
    runAsUser: 1000
    capabilities:
      add: ["MAC_ADMIN"]

#check which user runs the container
kubectl exec ubuntu-sleeper whoami



kubectl create serviceaccount dashboard-sa
kubectl get serviceaccount
kubectl describe serviceaccount dashboard-sa
kubectl describe secret dashboard-sa-account-token

curl https://myip/api -insecure --header "Authorization: Bearer PASTE_THE_TOKEN_HERE"

#change serviceaccount for a deployment
kubectl --record deployment.apps/web-dashboard set serviceaccount dashboard-sa



RESOURCES


resources:
  requests:
    memory: "1Gi"
    cpu: 1




Taints and Tolerations


kubectl taint nodes node-name key=value:taint-effect

taint-effect can be: NoSchedule, PreferNoSchedule, NoExecute

key=value can be app=blue


tolerations:
- key: "app"
operator: "Equal"
value: "blue"
effect: "NoSchedule"



to remove taint:

kubectl taint nodes master node-role.kubernetes.io/master:NoSchedule-


NODE SELECTOR


nodeSelector:
  size: Large


where size is a key and Large a value

to label a node:
kubectl label node mynode key=value

affinity:
 nodeAffinity:
   requiredDuringSchedulingIgnoredDuringExecution:
  nodeSelectorTerms:
  - matchExpressions:
    - key: color
   operator: In
   values:
   - blue


Readiness Probe


https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/

in the spec/containers/ section for each container:

readinessProbe:
  httpGet:
    path: /api/ready
    port: 8080
  initialDelaySeconds: 10
  periodSeconds: 5

beside httpGet you can have: "tcpSocket: port:", "exec: command:"



Liveness Probe


livenessProbe:
  httpGet:
    path: /api/ready
    port: 8080





Posted by vernetto at 2:35 PM
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)