YAML in Kubernetes

YAML in Kubernetes ===== ###### tags: `k8s` `declarative` [Toc] |Kind|Version| |:-------|:-------| |Pod|v1| |Service|v1| |ReplicationController|v1| |Namespace|v1| |ResourceQuota|v1| |ConfigMap|v1| |ReplicaSet|apps/v1| |DaemonSet|apps/v1| |NetworkPolicy|networking.k8s.io/v1| ## pod-definition.yaml + `metadata`： as dictionary + `apiVersion`、`kind`： as string + `spec.containers`： as array ```yaml= apiVersion: v1 kind: Pod metadata: name: myapp-pod labels: app: myapp type: frontend spec: containers: - name: nginx-container image: nginx command: ["sleep2"] args: ["10"] ports: - containerPort: 8088 env: - name: APP_COLOR value: pink ``` ## rc-definition.yaml (ReplicationController) ```yaml= apiVersion: v1 kind: ReplicationController metadata: name: myapp-rc labels: app: myapp type: frontend spec: template: metadata: name: myapp-pod labels: app: myapp type: frontend spec: containers: - name: nginx-container image: nginx replicas: 3 ``` ```shell= $ kubectl get rc NAME DESIRED CURRENT READY AGE myapp-rc 3 3 0 4s ``` ```shell= $ kubectl get po NAME READY STATUS RESTARTS AGE myapp-rc-mslw6 1/1 Running 0 102s myapp-rc-xk8b5 1/1 Running 0 102s myapp-rc-z9k99 1/1 Running 0 102s ``` ## rs-definition.yaml (ReplicaSet) + 可以分別在不同時間點建立，利用`spec.selector`來建立replicaset跟pod的關連性 + 在replicaset的`selector`會去對到pod的`label` ```yaml= apiVersion: apps/v1 kind: ReplicaSet metadata: name: myapp-rs labels: app: myapp type: frontend spec: template: metadata: name: myapp-pod labels: app: myapp type: frontend spec: containers: - name: nginx-container image: nginx replicas: 3 selector: matchLabels: type: frontend ``` ## deployment-definition.yaml + like ReplicaSet ```yaml= apiVersion: apps/v1 kind: Deployment metadata: name: myapp-deployment labels: app: myapp type: frontend spec: template: metadata: name: myapp-pod labels: app: myapp type: frontend spec: containers: - name: nginx-container image: nginx replicas: 3 selector: matchLabels: type: frontend ``` ## service-definition.yaml + 如果不指定targetPort，則same as port ```yaml= apiVersion: v1 kind: Service metadata: spec: type: NodePort ports: - targetPort: 80 port: 80 nodePort: 30008 ``` ```yaml= apiVersion: v1 kind: Service metadata: name: back-end spec: type: ClusterIP ports: - targetPort: 80 port: 80 selector: app: myapp type: back-end ``` ## namespace-definition.yaml ```yaml= apiVersion: v1 kind: Namespace metadata: name: dev ``` ## quota-definition.yaml ```yaml= apiVersion: v1 kind: ResourceQuota metadata: name: compute-quota namespace: dev spec: hard: pods: 10 requests.cpu: 4 requests.memory: 5Gi limits.cpu: 10 limits.memory: 10Gi ``` ## daemonset-definition.yaml ```yaml= apiVersion: apps/v1 kind: DaemonSet metadata: name: monitoring-daemon spec: selector: matchLabels: app: monitoring-agent template: metadata: labels: app: monitoring-agent spec: containers: - name: monitoring-agent image: monitoring-agent ``` ## role-definition.yaml ```yaml= apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: developer rules: - apiGroups: [""] resources: ["pods"] verbs: ["list", "get", "create", "update", "delete"] - apiGroups: [""] resources: ["ConfigMap"] verbs: ["create"] ``` ## role-binding-definition.yaml ```yaml= apiVersion: rbac.authorization.k8s.io/v1 # This role binding allows "jane" to read pods in the "default" namespace. # You need to already have a Role named "pod-reader" in that namespace. kind: RoleBinding metadata: name: read-pods namespace: default subjects: # You can specify more than one "subject" - kind: User name: jane # "name" is case sensitive apiGroup: rbac.authorization.k8s.io roleRef: # "roleRef" specifies the binding to a Role / ClusterRole kind: Role #this must be Role or ClusterRole name: pod-reader # this must match the name of the Role or ClusterRole you wish to bind to apiGroup: rbac.authorization.k8s.ioz ``` ## network-policy-definition.yaml ```yaml= apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: db-policy spec: podSelector: matchLabels: role: db policyTypes: - Ingress ingress: - from - podSelector: matchLabels: role: api-pod - namespaceSelector: matchLabels: project: stagin - ipBlock: cidr: 172.17.0.0/16 except: - 172.17.1.0/24 ports: - protocol: TCP port: 6379 ```