<kbd>minikube</kbd> runs an all-in-one or a multi-node local Kubernetes cluster on your personal computer. how to install minikube curl -LO https://storage.googleapis.com/minikube/releases/latest/minikube-darwin-amd64 sudo install minikube-darwin-amd64 /usr/local/bin/minikube how to start 「docker」 driver minikube start --driver=docker --kubernetes-version=v1.28.2 minikube config set driver docker The direct access only works on Linux, the docker network is not accessible on macOS or on Windows

CNCF和Linux基金會聯合推出的K8S考試認證。委託給 PSI 來進行監督考試[color=#907bf7] All the exam costs $399, with one free retake. 難易度：CKAD -> CKA -> CKS CKA Have the skills, knowledge, and competency to perform the responsibilities of Kubernetes administrators. Certified Kubernetes Administrator focuses on testing the knowledge and skills of a candidate in the field of all aspects of Kubernetes cluster concepts

:::info Helm 是 Kubernetes 的部署管理工具（不僅僅是包管理器 package manager）。它對可重複部署、依賴項管理(重用和共享)、多配置管理、更新、回滾和測試應用程式部署（版本）等方面做了大量工作。 可以幫助開發者打包，安裝，升級相關的 Kubernetes 應用程式 ::: info Helm 是 Kubernetes Chart 的管理工具，Kubernetes Chart 是一套預先組態的 Kubernetes 資源套件。使用 Helm 有以下幾個好處： 查詢與使用熱門的 Kubernetes Chart 軟體套件。

Create a read-only Service Account that has access to limited default namespace only. 1. Create a service account kubectl create serviceaccount deploy-robot 2. Create a role with get, list, and watch permission on default namespace kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: deploy-robot rules: - apiGroups: [""]

livenessProbe livenessProbe: exec: command: - cat - /tmp/healthy initialDelaySeconds: 5 periodSeconds: 5 this is a check to restart the container on the same pod if the command ls /var/www/html/file_check fails. This check should start after a delay of 10 seconds and run every 60 seconds.

:::info 連接到 Pod 有兩種方式，一種是建立 Service 另一種是用 port-forward Service 的目的就是提供單一的 endpoint 給 clients 去訪問其背後所代理的 Pods ::: port-forward 就是把 host 上的某個 port 連線至 Pod 的對外 port kubectl port-forward pod/${podname} ${NodePort}:${PodPort}

1⃣ ConfigMap 特性 ConfigMap 通常都是用來存放偏向部署面的設定檔，像是資料庫的初始化設定、nginx 設定檔等等 # game.properties enemies=aliens lives=3 enemies.cheat=true enemies.cheat.level=noGoodRotten secret.code.passphrase=UUDDLRLRBABAS secret.code.allowed=true

[color=pink]在 K8s 的 Deployment 應用中做了一個假設：發佈應用的 pod 每一個是相同的，沒有相依性、順序性，更無所謂要運行在哪個 K8s node 上。依照需求，可以透過 Deployment 任意進行 pod scale-out scale-in。此可以稱為：無狀態應用（Stateless Application） StatefulSet 類似於 Deployment，可以指定要多少個 Pod (replicas) replicating stateful applications is more difficult cant be created/deleted at same time cant be randomly addressed replica Pods are not identical: Pod Identity Pod Identity

openssl genrsa -out bruce.key 2048 openssl req -new -key bruce.key -out bruce.csr -subj "/CN=bruce/O=myteam" openssl x509 -req -in bruce.csr \ -CA /Users/brucehsu/.minikube/ca.crt \ -CAkey /Users/brucehsu/.minikube/ca.key \ -CAcreateserial -days 1000 \ -out bruce.crt

Authentication kubectl get pods --kubeconfig config default file path: $HOME/.kube/config TLS certificate Certificate Authority (CA) 1. Generate Keys

:::warning A storageclass is a Kubernetes object that <span style="color: red">stores information about creating a persistent volume</span> for your pod. With a storageclass, you do not need to create a persistent volume separately before claiming it. ::: how to work  types of provisioner

The easiest way to create the PV/PVC pair for your Pod is to use a StorageClass object, and then <span style="color: red">using the storageclass to create your PV-PVC pair dynamically</span> whenever you need to use it. Persistent Volume <span style="color:red; font-weight: 600">a cluster resource</span>need to be there before using created via yaml file kind : PersistenVolume spec: e.g. how much storage?

:::info evaluate all rules manages redirections entrypoint to cluster many third-party implementations In order for the Ingress resource to work, the cluster must have an ingress controller running. [color=pink] Controller 就只是個管理眾多 ==Ingress resource 的集大成==而已，真正做事情還是要依靠 Ingress resource 去做 Service 的串接

create data, inject into Pod types of valueFrom fieldRefenv: - name: MY_POD_NAME valueFrom: fieldRef: fieldPath: metadata.name configMapKeyRef

:::info manages external access to the services in a cluster, typically HTTP. 可設定每一個endpoint的規則，以及對應的路徑，如果要有basic-auth或者是TLS，也是在這設定 ::: :::warning Ingress 本身並沒有提供負載平衡的功能，還需要透過 Ingress Controller 來實現。Ingress 目前主要支援兩種型別 GCE 與 Nginx。 負載平衡(Load Balancing)：以往我們可以透過外部的資源，像是 AWS ELB 來實現，將流量分配給不同的機器。而 Kubernetes 現在也提供了一個內部工具 Ingress Controller ，讓我們自己可以在 Kubernetes Cluster 中實現 Load Balancing 而無需透過外部資源。

useful command lines kubectl create deployment nginx --image=nginx --replicas=4 definition apiVersion: apps/v1 kind: Deployment metadata: name: helloworld spec: replica: 2 strategy:

:::info An ==agent== that runs on each node in the cluster. It makes sure that containers are running in a Pod. ::: The kubelet takes a set of PodSpecs that are provided through various mechanisms and ensures that the ==containers== described in those PodSpecs are running and healthy. The kubelet doesn't manage containers which were not created by Kubernetes.  cri-tools

kubeadm upgrade plan # or kubectl -n kube-system get cm kubeadm-config -o yaml Administer a cluster kubectl drain --ignore-daemonsets <node name> kubectl uncordon <node name> Upgrade the ==controlplane== components Controlplane Node Upgraded to v1.25.0 apt update

or condition, 3 seperate rules example  允許internal pod 利用port 336連到 mysql pod 允許internal pod 利用port 8080連到 payroll pod apiVersion: networking.k8s.io/v1 kind: NetworkPolicy

<kbd>kubectl</kbd> allows you to run commands against Kubernetes clusters.You can use kubectl to deploy applications, inspect and manage cluster resources, and view logs. how to install curl -LO "https://dl.k8s.io/release/v1.26.4/bin/darwin/amd64/kubectl" chmod +x ./kubectl sudo mv ./kubectl /usr/local/bin/kubectl sudo chown root: /usr/local/bin/kubectl alias k=kubectl useful "imperative" command lines ==explicit instructions==