Kubernetes学习笔记(7)：Yaml模板

Resource

Basic Deployment

apiVersion: apps/v1beta2 # for versions before 1.8.0 use apps/v1beta1
kind: Deployment
metadata:
  name: nginx-deployment-basic
  labels:
    app: nginx
spec:
  replicas: 2
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
    # nodeSelector:
    # env: test-team
      containers:
      - name: nginx
        image: nginx:1.7.9 # replace it with your exactly <image_name:tags>
        ports:
        - containerPort: 80

Deployment

apiVersion: apps/v1beta2 # for versions before 1.8.0 use apps/v1beta1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx
spec:
  replicas: 2
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx:1.7.9 # replace it with your exactly <image_name:tags>
        ports:
        - containerPort: 80
        livenessProbe:
#          exec:
#            command:
#            - sh
#            - -c
#            - "mysqladmin ping -u root -p${MYSQL_ROOT_PASSWORD}"
#
#          tcpSocket:
#            port: 8080
          httpGet:
            path: /
            port: 80
          initialDelaySeconds: 30
          timeoutSeconds: 5
          periodSeconds: 5
        readinessProbe:
#          exec:
#            command:
#            - sh
#            - -c
#            - "mysqladmin ping -u root -p${MYSQL_ROOT_PASSWORD}"
          httpGet:
            path: /
            port: 80
          initialDelaySeconds: 5
          timeoutSeconds: 1
          periodSeconds: 5
        # specify user/password from existing secret
        env:
          - name: SECRET_USERNAME
            valueFrom:
              secretKeyRef:
                name: test-secret
                key: username
          - name: SECRET_PASSWORD
            valueFrom:
              secretKeyRef:
                name: test-secret
                key: password
          # Define the environment variable for configmap
          - name: SPECIAL_LEVEL_KEY
            valueFrom:
              configMapKeyRef:
                # The ConfigMap containing the value you want to assign to SPECIAL_LEVEL_KEY
                name: aliyun-config
                # Specify the key associated with the value
                key: special.env
        # configMap volume
        volumeMounts:
          - name: config-volume
            mountPath: /etc/config
      volumes:
        - name: config-volume
          configMap:
            name: aliyun-config
#            items:
#            - key: special.env
#              path: env
      # create docker registry secrects with:
      # ` kubectl create secret docker-registry myregistrykey --docker-server=DOCKER_REGISTRY_SERVER --docker-username=DOCKER_USER --docker-password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL`
      imagePullSecrets:          #Comment out to enable specific image pull secret
      - name: myregistrykey    # repleace it wity your specific docker registry secret
      # alternative way to set this field of imagePullSecrets can be automated by setting the imagePullSecrets in a serviceAccount resource
#      serviceAccountName: user1
#      automountServiceAccountToken: false

Pod

apiVersion: v1
kind: Pod
metadata:
  labels:
    name: hello-pod
  name: hello-pod
spec:
#  serviceAccountName: user1  # specify specific sevice account for pod creation
#    automountServiceAccountToken: true # mount token for api access inside pod/container
#  imagePullSecrets:          #Comment out to enable specific image pull secret
#    - name: myregistrykey    # repleace it to specific registry key
  containers:
    - image: nginx
      imagePullPolicy: IfNotPresent
      name: hello-pod
      ports:
        - containerPort: 8080
          protocol: TCP
      resources: {}
      securityContext:
        capabilities: {}
        privileged: false
      terminationMessagePath: /dev/termination-log
  dnsPolicy: ClusterFirst
  restartPolicy: Always
#  nodeSelector:
#    env: test-team
status: {}

Pod & Node Selector

apiVersion: v1
kind: Pod
metadata:
  labels:
    name: hello-pod
  name: hello-pod
spec:
  containers:
    - image: nginx
      imagePullPolicy: IfNotPresent
      name: hello-pod
      ports:
        - containerPort: 8080
          protocol: TCP
      resources: {}
      securityContext:
        capabilities: {}
        privileged: false
      terminationMessagePath: /dev/termination-log
  dnsPolicy: ClusterFirst
  restartPolicy: Always
  nodeSelector: 
    env: test-team

Service

apiVersion: v1
kind: Service
metadata:
  name: my-service1 #TODO: to specify your service name
  labels:
    app: nginx-svc
spec:
  selector:
    app: nginx #TODO: change label selector to match your backend pod
  ports:
  - protocol: TCP
    name: http
    port: 30080 #TODO: choose an unique port on each node to avoid port conflict
    targetPort: 80
  type: NodePort
#  type: LoadBalancer

StatefulSet

apiVersion: apps/v1beta1
kind: StatefulSet
metadata:
  name: "my-stateful-app" #TODO: repliace it with your app name
spec:
  serviceName: "my-service"
  replicas: 2
  template:
    metadata:
      name: "my-stateful-app"
      labels:
        app: my-stateful-app
    spec:
      containers:
      - name: nginx
        image: nginx:1.7.9 #TODO: replace it with your exactly <image_name:tags>
        ports:
        - containerPort: 80
        livenessProbe:
    #          exec:
    #            command:
    #            - sh
    #            - -c
    #            - "mysqladmin ping -u root -p${MYSQL_ROOT_PASSWORD}"
    #
    #          tcpSocket:
    #            port: 8080
          httpGet:
            path: /
            port: 80
          initialDelaySeconds: 30
          timeoutSeconds: 5
          periodSeconds: 5
        readinessProbe:
    #          exec:
    #            command:
    #            - sh
    #            - -c
    #            - "mysqladmin ping -u root -p${MYSQL_ROOT_PASSWORD}"
          httpGet:
            path: /
            port: 80
          initialDelaySeconds: 5
          timeoutSeconds: 1
          periodSeconds: 5
        # specify user/password from existing secret
        env:
          - name: SECRET_USERNAME
            valueFrom:
              secretKeyRef:
                name: test-secret
                key: username
          - name: SECRET_PASSWORD
            valueFrom:
              secretKeyRef:
                name: test-secret
                key: password
          # Define the environment variable for configmap
          - name: SPECIAL_LEVEL_KEY
            valueFrom:
              configMapKeyRef:
                # The ConfigMap containing the value you want to assign to SPECIAL_LEVEL_KEY
                name: aliyun-config
                # Specify the key associated with the value
                key: special.env
        # configMap volume
        volumeMounts:
          - name: config-volume
            mountPath: /etc/config
          - name: datadir
            mountPath: /usr/share/nginx/html
      volumes:
        - name: config-volume
          configMap:
            name: aliyun-config
  volumeClaimTemplates:
  - metadata:
      name: datadir
    spec:
      accessModes:
        - "ReadWriteMany"
      resources:
        requests:
          storage: "1Gi"

ConfigMap

# kubectl create configmap game-config --from-file=docs/user-guide/configmap/kubectl
apiVersion: v1
kind: ConfigMap
metadata:
  name: aliyun-config
data:
  # replace your filename of properties configration and contents here.
  game.properties: |
    enemies=aliens
    lives=3
    enemies.cheat=true
    enemies.cheat.level=noGoodRotten
    secret.code.passphrase=UUDDLRLRBABAS
    secret.code.allowed=true
    secret.code.lives=30
  ui.properties: |
    color.good=purple
    color.bad=yellow
    allow.textmode=true
    how.nice.to.look=fairlyNice
  special.env: env_value

Secret

apiVersion: v1
kind: Secret
metadata:
  name: test-secret
data:
  username: bXktYXBwCg== # echo -n 'my-app' | base64
  password: Mzk1MjgkdmRnN0piCg== # echo -n '39528$vdg7Jb' | base64

ResourceQuota

apiVersion: v1
kind: ResourceQuota # restrict resource quota for cpu, memory, storage, pvc, replicationcontroller, pods, service, secret, configmap
metadata:
  name: quota
#  namespace: users-namespace # specify your namespace to apply resource quota
spec:
  hard:
    cpu: "20" # adjust limits of cpu for your namespace
    memory: 12Gi # adjust memory upper limits for your namesapce
    requests.storage: 1024G # adjust request of storage size for your namespace
    persistentvolumeclaims: "100" # adjust number of pvc for your namespace
    pods: "100" #adjust number of Pod in your namespace
    replicationcontrollers: "10" # adjust number of ReplicationController in your namespace
    services: "10" # adjust number of service for your namespace
    secrets: "100" # adjust number of secrets for your namespace
    configmaps: "100" # adjust number of configmap for your namespace

LimitRange

apiVersion: v1
kind: LimitRange # set default request/limit for your containers
metadata:
  name: limits
#  namespace: users-namespace # specify your namespace
spec:
  limits:
  - default:
      cpu: 4
      memory: 4Gi
    defaultRequest:
      cpu: 100m
      memory: 256Mi
    type: Container

Namespace & LimitRange

apiVersion: v1
kind: Namespace
metadata:
  name: users-namespace
---
apiVersion: v1
kind: ResourceQuota
metadata:
  name: quota
  namespace: users-namespace
spec:
  hard:
    cpu: "20"
    memory: 12Gi
    pods: "10"
    replicationcontrollers: "20"
    resourcequotas: "10"
    services: "5"

---
# init limits for each container [request, limit]
apiVersion: v1
kind: LimitRange
metadata:
  name: limits
  namespace: users-namespace
spec:
  limits:
  - default:
      cpu: 4
      memory: 4Gi
    defaultRequest:
      cpu: 100m
      memory: 256Mi
    type: Container

Namespace

apiVersion: v1
kind: Namespace
metadata:
  name: users-namespace
---
apiVersion: v1
kind: ResourceQuota
metadata:
  name: quota
  namespace: users-namespace
spec:
  hard:
    cpu: "20"
    memory: 12Gi
    pods: "10"
    replicationcontrollers: "20"
    resourcequotas: "10"
    services: "5"

---
# init limits for each container [request, limit]
apiVersion: v1
kind: LimitRange
metadata:
  name: limits
  namespace: users-namespace
spec:
  limits:
  - default:
      cpu: 4
      memory: 4Gi
    defaultRequest:
      cpu: 100m
      memory: 256Mi
    type: Container

PersistentVolumeClaim

kind: PersistentVolumeClaim
apiVersion: v1
metadata:
  name: nfs-pvc1
spec:
  accessModes:
   - ReadWriteMany
  resources:
    requests:
       storage: 1Gi #TODO: specify the appropriate size to match pv in pool of nfs

---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
  name: ceph-rbd-pvc1
spec:
  accessModes:
   - ReadWriteOnce
  resources:
    requests:
       storage: 10Gi  #TODO: specify the appropriate size to match pv in pool of ceph rbd
  storageClassName: general

Knative Service

apiVersion: serving.knative.dev/v1alpha1
kind: Service
metadata:
  name: helloworld-go
spec:
  template:
    spec:
      containers:
      - image: registry.cn-hangzhou.aliyuncs.com/knative-sample/helloworld-go:73fbdd56
        env:
        - name: TARGET
          value: "Knative"

Storage

Aliyun Disk

apiVersion: v1
kind: PersistentVolume
metadata:
  name: d-bp1j17ifxfasvts3tf40 #TODO: put pv name of cloud disk here
spec:
  capacity:
    storage: 20Gi #TODO: put the exact size of cloud disk here
  accessModes:
    - ReadWriteOnce
  flexVolume:
    driver: "alicloud/disk"
    fsType: "ext4"
    options:
      volumeId: "d-bp1j17ifxfasvts3tf40" #TODO: put id of cloud disk

Aliyun NAS

apiVersion: v1
kind: PersistentVolume
metadata:
  name: nas-pv1 #TODO: give right name of nfs pv
spec:
  capacity:
    storage: 5Gi #size
  accessModes:
    - ReadWriteMany
  flexVolume:
    driver: "alicloud/nas"
    options:
      server: "0cd8b4a576-grs79.cn-hangzhou.nas.aliyuncs.com" #TODO: url of nas
      path: "/k8s1"
      vers: "4.0"
      mode: "755"

Aliyun NAS provisioner

apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: alicloud-nas
provisioner: alicloud/nas

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: alicloud-nas-controller
  namespace: kube-system

---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: run-alicloud-nas-controller
subjects:
  - kind: ServiceAccount
    name: alicloud-nas-controller
    namespace: kube-system
roleRef:
  kind: ClusterRole
  name: alicloud-disk-controller-runner
  apiGroup: rbac.authorization.k8s.io

---
kind: Deployment
apiVersion: extensions/v1beta1
metadata:
  name: alicloud-nas-controller
  namespace: kube-system
spec:
  replicas: 1
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        app: alicloud-nas-controller
    spec:
      tolerations:
      - effect: NoSchedule
        operator: Exists
        key: node-role.kubernetes.io/master
      - effect: NoSchedule
        operator: Exists
        key: node.cloudprovider.kubernetes.io/uninitialized
      nodeSelector:
         node-role.kubernetes.io/master: ""
      serviceAccount: alicloud-nas-controller
      containers:
        - name: alicloud-nas-controller
          image: registry.cn-hangzhou.aliyuncs.com/acs/alicloud-nas-controller:v1.8.4
          volumeMounts:
            - name: nfs-client-root
              mountPath: /persistentvolumes
          env:
            - name: PROVISIONER_NAME
              value: alicloud/nas
            - name: NFS_SERVER
              value: 0cd8b4a576-mmi32.cn-hangzhou.nas.aliyuncs.com ##TODO
            - name: NFS_PATH
              value: /
      volumes:
        - name: nfs-client-root
          nfs:
            server: 0cd8b4a576-mmi32.cn-hangzhou.nas.aliyuncs.com  ##TODO
            path: /

Aliyun OSS

apiVersion: v1
kind: PersistentVolume
metadata:
  name: oss-pv1 # TODO: put your name of oss pv here
spec:
  capacity:
    storage: 5Gi #size
  accessModes:
    - ReadWriteMany
  flexVolume:
    driver: "alicloud/oss"
    options:
      bucket: "mybucket" #TODO: put your buncket here
      url: "oss-cn-hangzhou.aliyuncs.com"
      akId: "***" #TODO: put your ak ID here
      akSecret: "***" #TODO: put your ak secret here
      otherOpts: "-o max_stat_cache_size=0 -o allow_other"

Ceph RBD

apiVersion: v1
kind: PersistentVolume
metadata:
  name: ceph-rbd-pv1 #TODO: set pv name
spec:
  accessModes:
  - ReadWriteOnce
  capacity:
    storage: 10Gi #size
  persistentVolumeReclaimPolicy: Delete #TODO: speicfy reclaim policy Delete of Retain
  rbd:
    image: kubernetes-dynamic-pvc-92c9a35e-eadb-11e7-80f5-0a58ac10081b #TODO: specify image id of ceph rbd
    keyring: /etc/ceph/keyring
    monitors:
    - ceph-mon.ceph.svc.cluster.local:6789 #TODO: specify monitoring endpoint of ceph cluster
    pool: rbd
    secretRef:
      name: pvc-ceph-client-key # Ceph client secret
    user: admin                 # Ceph user
  storageClassName: general

NFS

apiVersion: v1
kind: PersistentVolume
metadata:
  name: nfs-pv4  #TODO: give right name of nfs pv
spec:
  capacity:
    storage: 1Gi #TODO: give size of this pv
  accessModes:
    - ReadWriteMany
  nfs:
    # TODO: use the right IP
    server: 192.168.254.15
    # TODO: use the right export path
    path: "/storage"
  persistentVolumeReclaimPolicy: Recycle #TODO: specify relcaim policy Recycle or Retain

Permission

Grant user permissions

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding #grant a set of permission to specific user,
metadata:
  name: user1-restricted #TODO: specify an rolebinding name
#  namespace: test-namespace #TODO: effective scop for specific namespace
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: regular-users #TODO: specify an existing role definition (a set of permissions)
subjects:
- kind: ServiceAccount
  name: user1 #TODO: specify user name of any service accounts or user accounts
  namespace: users-namespace #TODO: specify namespace which user belong

Role

kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: regular-users
rules:
- apiGroups: ["", "extensions", "apps"]
  # define resource aggregation group for default restricted users
  resources: ["deployments", "replicasets", "pods", "persistentvolumeclaims", "services", "configmaps", "replicationcontrollers", "secrets", "nodeports"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

RoleBinding

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding #grant a set of permission to specific user,
metadata:
  name: user1-restricted #TODO: specify an rolebinding name
#  namespace: users-namespace #TODO: effective scop for specific namespace
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: regular-users #TODO: specify an existing role definition (a set of permissions)
subjects:
- kind: ServiceAccount
  name: user1 #TODO: specify user name of any service accounts or user accounts
  namespace: users-namespace #TODO: specify namespace which user belong

Service Account

apiVersion: v1
kind: ServiceAccount
metadata:
  name: user1 #TODO: replace it with your user name
#  namespace: users-namespace #TODO: replace it with your namespace
#automountServiceAccountToken: true
# create docker registry secrects with:
# ` kubectl create secret docker-registry myregistrykey --docker-server=DOCKER_REGISTRY_SERVER --docker-username=DOCKER_USER --docker-password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL`
#imagePullSecrets:
#- name: myregistrykey

Service Account Secret

apiVersion: v1
kind: Secret
metadata:
  name: user1-token-manually
  annotations:
    kubernetes.io/service-account.name: user1
type: kubernetes.io/service-account-token