-
Notifications
You must be signed in to change notification settings - Fork 0
/
resources.yml
229 lines (228 loc) · 10 KB
/
resources.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
# see https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
# see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#serviceaccount-v1-core
apiVersion: v1
kind: ServiceAccount
metadata:
name: kubernetes-hello
imagePullSecrets:
- name: pandora-rancher-test-5000
---
# see https://kubernetes.io/docs/reference/access-authn-authz/rbac/
# see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#role-v1-rbac-authorization-k8s-io
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: pod-read
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list"]
---
# see https://kubernetes.io/docs/reference/access-authn-authz/rbac/
# see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#rolebinding-v1-rbac-authorization-k8s-io
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kubernetes-hello-pod-read
subjects:
- kind: ServiceAccount
name: kubernetes-hello
roleRef:
kind: Role
name: pod-read
apiGroup: rbac.authorization.k8s.io
---
# see https://kubernetes.io/docs/concepts/services-networking/ingress/
# see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#ingress-v1-networking-k8s-io
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: kubernetes-hello
spec:
rules:
# NB due to the external-dns controller this will automatically configure the external DNS server (installed
# in the pandora box) based on this ingress rule.
# see https://github.com/kubernetes-incubator/external-dns
# NB you can use any other host, but you have to make sure DNS resolves to one of k8s cluster IP addresses.
# NB you could also use xip.io to make rancher automatically generate a host alike kubernetes-hello.default.10.1.0.3.xip.io.
# NB you can see the configured server names on the nginx ingress with:
# kubectl --namespace ingress-nginx exec $(kubectl --namespace ingress-nginx get pods -l app=ingress-nginx -o name) cat /etc/nginx/nginx.conf | grep 'server_name '
- host: kubernetes-hello.rancher.test
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: kubernetes-hello
port:
name: http
---
# see https://kubernetes.io/docs/concepts/services-networking/service/
# see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#service-v1-core
# see https://github.com/kubernetes-incubator/external-dns/blob/v0.5.16/docs/initial-design.md
# see https://github.com/kubernetes-incubator/external-dns/blob/v0.5.16/docs/ttl.md
apiVersion: v1
kind: Service
metadata:
name: kubernetes-hello
annotations:
external-dns.alpha.kubernetes.io/hostname: kubernetes-hello-lb.rancher.test
external-dns.alpha.kubernetes.io/ttl: "120"
spec:
selector:
app: kubernetes-hello
type: LoadBalancer
ports:
- name: http
protocol: TCP
port: 80
targetPort: http
---
# see https://kubernetes.io/docs/concepts/configuration/secret/
# see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#secret-v1-core
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: kubernetes-hello-secrets
stringData:
username: ali.baba
password: Open Sesame
---
# see https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/
# see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#configmap-v1-core
apiVersion: v1
kind: ConfigMap
metadata:
name: kubernetes-hello-configs
data:
example.toml: |
# a comment
[user]
name = "John Doe"
[logging]
level = "DEBUG"
example-certificate.pem: |
-----BEGIN CERTIFICATE-----
MIICTjCCAdSgAwIBAgIRAIPgc3k5LlLVLtUUvs4K/QcwCgYIKoZIzj0EAwMwaDEL
MAkGA1UEBhMCVVMxMzAxBgNVBAoTKihTVEFHSU5HKSBJbnRlcm5ldCBTZWN1cml0
eSBSZXNlYXJjaCBHcm91cDEkMCIGA1UEAxMbKFNUQUdJTkcpIEJvZ3VzIEJyb2Nj
b2xpIFgyMB4XDTIwMDkwNDAwMDAwMFoXDTQwMDkxNzE2MDAwMFowaDELMAkGA1UE
BhMCVVMxMzAxBgNVBAoTKihTVEFHSU5HKSBJbnRlcm5ldCBTZWN1cml0eSBSZXNl
YXJjaCBHcm91cDEkMCIGA1UEAxMbKFNUQUdJTkcpIEJvZ3VzIEJyb2Njb2xpIFgy
MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEOvS+w1kCzAxYOJbA06Aw0HFP2tLBLKPo
FQqR9AMskl1nC2975eQqycR+ACvYelA8rfwFXObMHYXJ23XLB+dAjPJVOJ2OcsjT
VqO4dcDWu+rQ2VILdnJRYypnV1MMThVxo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYD
VR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU3tGjWWQOwZo2o0busBB2766XlWYwCgYI
KoZIzj0EAwMDaAAwZQIwRcp4ZKBsq9XkUuN8wfX+GEbY1N5nmCRc8e80kUkuAefo
uc2j3cICeXo1cOybQ1iWAjEA3Ooawl8eQyR4wrjCofUE8h44p0j7Yl/kBlJZT8+9
vbtH7QiVzeKCOTQPINyRql6P
-----END CERTIFICATE-----
example-jwt.txt: |
eyJhbGciOiJSUzI1NiIsImtpZCI6Il8ybnI0NTI1UzVBclAwS05YQ0xySDZwMG4zYXVDX0RZcVBJdU8zN2gzTkEiLCJ0eXAiOiJKV1QifQ.eyJuYW1lc3BhY2VfaWQiOiIxMCIsIm5hbWVzcGFjZV9wYXRoIjoiZXhhbXBsZSIsInByb2plY3RfaWQiOiI3IiwicHJvamVjdF9wYXRoIjoiZXhhbXBsZS9naXRsYWItY2ktdmFsaWRhdGUtand0IiwidXNlcl9pZCI6IjEiLCJ1c2VyX2xvZ2luIjoicm9vdCIsInVzZXJfZW1haWwiOiJhZG1pbkBleGFtcGxlLmNvbSIsInBpcGVsaW5lX2lkIjoiMTIiLCJqb2JfaWQiOiIyMyIsInJlZiI6Im1hc3RlciIsInJlZl90eXBlIjoiYnJhbmNoIiwicmVmX3Byb3RlY3RlZCI6InRydWUiLCJqdGkiOiJlY2I3YjJhOS02ZTljLTQ4NmUtYmYxNC1mNjIyOTgyOTMwODAiLCJpc3MiOiJnaXRsYWIuZXhhbXBsZS5jb20iLCJpYXQiOjE2MDA1OTExMjgsIm5iZiI6MTYwMDU5MTEyMywiZXhwIjoxNjAwNTk0NzI4LCJzdWIiOiJqb2JfMjMifQ.O_5PjdarFNJQ1u8Xh17BoWdsrxHtmeKu8_GJHJVuFRG3PE66hDTC0cOrqCP4iGp5InygIp26DE-C-fJ1QzgAiCkROQY83vLCq3_aTDVozCpuKdvifg7rxM5kd9ZmccmLnRrSnMPFF3LZPxvwn8A50ajJJOEbdD1Cud_lJd5ViVYZRPaATy44gPTFC72yqBIFwsrl5cB5Tlir_iMQyY4iMNYj-OWHG--hMVovUVVr9lFmhU8CmcaWjEd7C9gngp7hQ-BqMTWqhnCUUcipy7hNeHEACTrYjARuJEKAUMQf_23p1WO_ELHBNGrKSrKDFWtY_VOuGi7nmNVXU-Af0HCPzeYcoDwX1ex6E8ucrH5cgwj0exOIknBrcROWrxd6OFGQLo7V0hwRJ5P6auZJr5lG_hc0n2Ijc-sr266LRBzgwrqcVD9pcgfr6hW1wuyt9fyuNDvnXSkNQFT4v_CjhByUHm13CNRm7WW2urVUSL_suKR5yjV1k1AAzHo3-x1SeH4e9J8RkWiAtRGkU3imPtaADR3FpHCSzkncp-DC4iRTtGIKVLLuaLNZqKQWtfbTT8bfP0PxV109sb404t7U_gXZ5cqgi8Jam0FoYUyO_qEuBwwQdyHsj1YvYFCBLIFz3Zcu7gfUgEjGHCcFyrr9SArlj5YUWMmnbns77B0mwvl0Y4M
---
# see https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
# see https://kubernetes.io/docs/concepts/storage/projected-volumes/#serviceaccounttoken
# see https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
# see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#daemonset-v1-apps
# see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#podtemplatespec-v1-core
# see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#container-v1-core
# see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#serviceaccounttokenprojection-v1-core
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: kubernetes-hello
spec:
selector:
matchLabels:
app: kubernetes-hello
template:
metadata:
labels:
app: kubernetes-hello
spec:
serviceAccountName: kubernetes-hello
enableServiceLinks: false
nodeSelector:
kubernetes.io/arch: amd64
kubernetes.io/os: linux
containers:
- name: kubernetes-hello
image: ruilopes/kubernetes-hello
ports:
- name: http
containerPort: 8000
resources:
requests:
memory: 20Mi
cpu: '0.1'
limits:
memory: 20Mi
cpu: '0.1'
env:
# configure the go runtime to honour the k8s memory and cpu
# resource limits.
# NB resourceFieldRef will cast the limits to bytes and integer
# number of cpus (rounding up to the nearest integer).
# see https://pkg.go.dev/runtime
# see https://www.riverphillips.dev/blog/go-cfs/
# see https://github.com/golang/go/issues/33803
# see https://github.com/traefik/traefik-helm-chart/pull/1029
- name: GOMEMLIMIT
valueFrom:
resourceFieldRef:
resource: limits.memory
- name: GOMAXPROCS
valueFrom:
resourceFieldRef:
resource: limits.cpu
# see https://github.com/kubernetes/kubernetes/blob/master/test/e2e/common/downward_api.go
- name: POD_UID
valueFrom:
fieldRef:
fieldPath: metadata.uid
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
volumeMounts:
- name: tokens
readOnly: true
mountPath: /var/run/secrets/tokens
- name: secrets
readOnly: true
mountPath: /var/run/secrets/example
- name: configs
readOnly: true
mountPath: /var/run/configs/example
volumes:
- name: tokens
projected:
sources:
- serviceAccountToken:
path: example.com-jwt.txt
audience: example.com
# NB the kubelet will periodically rotate this token.
# NB the token is rotated when its older than 80% of its time
# to live or if the token is older than 24h.
# NB in production, set to a higher value (e.g. 3600 (1h)).
# NB the minimum allowed value is 600 (10m).
# NB this is equivalent of using the TokenRequest API.
# see https://kubernetes.io/docs/reference/kubernetes-api/authentication-resources/token-request-v1/
# NB this is equivalent of executing:
# kubectl create token kubernetes-hello --audience example.com --duration 600s
# see https://kubernetes.io/docs/reference/kubectl/generated/kubectl_create/kubectl_create_token/
expirationSeconds: 600
- name: secrets
secret:
secretName: kubernetes-hello-secrets
defaultMode: 0400
- name: configs
configMap:
name: kubernetes-hello-configs
defaultMode: 0400