added

2022-12-16 12:21:57 +01:00
parent 199a7e11b5
commit 8ee05cb88d
60 changed files with 3516 additions and 2 deletions
--- a/k3d/pod_init/doku
+++ b/k3d/pod_init/doku
@@ -0,0 +1,201 @@
+Pod init container
+
+    https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
+
+A Pod can have multiple containers running apps within it, but it can also have one or more init containers, which are run before the app containers are started.
+
+Init containers are exactly like regular containers, except:
+
+    Init containers always run to completion.
+    Each init container must complete successfully before the next one starts.
+
+If a Pod's init container fails, the kubelet repeatedly restarts that init container until it succeeds. However, if the Pod has a restartPolicy of Never, and an init container fails during startup of that Pod, Kubernetes treats the overall Pod as failed.
+
+kubectl delete service whoami
+cat >myapp-pod.yaml <<EOF
+apiVersion: v1
+kind: Pod
+metadata:
+  name: myapp-pod
+  labels:
+    app: myapp
+spec:
+  containers:
+  - name: myapp-container
+    image: busybox:1.28
+    command: ['sh', '-c', 'echo The app is running! && sleep 30']
+  initContainers:
+  - name: init-whoami
+    image: busybox:1.28
+    command: ['sh', '-c', "until nslookup whoami.\$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace).svc.cluster.local; do echo waiting for whoami; sleep 2; done"] 
+EOF
+kubectl apply -f myapp-pod.yaml
+kubectl describe pod myapp-pod
+# initContainer not ready
+kubectl apply -f service.yaml 
+kubectl describe pod myapp-pod
+
+    https://github.com/groundnuty/k8s-wait-for
+
+cat >myapp-pod-exists.yaml <<EOF
+apiVersion: v1
+kind: Pod
+metadata:
+  name: myapp-pod-exists
+  labels:
+    app: myapp
+spec:
+  containers:
+  - name: myapp-container
+    image: busybox:1.28
+    command: ['sh', '-c', 'echo The app is running! && sleep 30']
+  initContainers:
+  - name: init-whoami
+    image: busybox:1.28
+    command: ['sh', '-c', "until nslookup whoami.\$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace).svc.cluster.local; do echo waiting for whoami; sleep 2; done"] 
+  - name: wait-for-whoami-pods
+    image: ghcr.io/groundnuty/k8s-wait-for:v1.7
+    imagePullPolicy: IfNotPresent
+    args:
+      - "pod-wr"
+      - "-lapp=whoami"
+EOF
+
+kubectl scale deployment whoami --replicas=0
+kubectl apply -f myapp-pod-exists.yaml
+
+kubectl create role pod-reader \
+  --verb=get --verb=list --verb=watch \
+  --resource=pods,services,deployments
+
+kubectl get role pod-reader -o yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  creationTimestamp: "2022-10-27T13:11:32Z"
+  name: pod-reader
+  namespace: whoami-1
+  resourceVersion: "48787"
+  uid: 2aadcee7-66bc-4ebe-8acc-5f76e2065480
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  - services
+  verbs:
+  - get
+  - listhttps://artifacthub.io/
+  - watch
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  verbs:
+  - get
+  - list
+  - watch
+
+
+kubectl create rolebinding default-pod-reader \
+  --role=pod-reader \
+  --serviceaccount=whoami-1:default \
+  --namespace=whoami-1
+
+kubectl get rolebindings.rbac.authorization.k8s.io default-pod-reader  -o yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  creationTimestamp: "2022-10-27T13:15:02Z"
+  name: default-pod-reader
+  namespace: whoami-1
+  resourceVersion: "48886"https://artifacthub.io/
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: pod-reader
+subjects:
+- kind: ServiceAccount
+  name: default
+  namespace: whoami-1
+
+kubectl auth can-i list deployments.apps \
+  --as system:serviceaccount:whoami-1:default
+yes
+kubectl auth can-i create deployments.apps \
+  --as system:serviceaccount:whoami-1:default
+no
+
+kubectl scale deployment whoami --replicas=1
+kubectl logs myapp-pod-exists -c wait-for-whoami-pods
+[2022-10-27 13:34:14] Waiting for pod -lapp=whoami...
+[2022-10-27 13:34:16] pod -lapp=whoami is ready.
+kubectl get pods
+NAME                              READY   STATUS             RESTARTS        AGE
+...
+myapp-pod-exists                  0/1     Completed          1 (36s ago)     31m
+
+Postgres initContainer
+
+apiVersion: apps/v1beta1
+kind: Deployment
+metadata:
+  name: webapp
+spec:
+  template:
+    metadata:
+      labels:
+        app: webapp
+    spec:
+      volumes:
+        - name: config-volume
+          configMap:
+            name: app-config
+      initContainers:
+      - name: check-db-ready
+        image: postgres:15
+        command: ['sh', '-c', 
+          'until pg_isready -h postgres -p 5432; 
+          do echo waiting for database; sleep 2; done;']
+
+Git Sync
+
+    https://github.com/kubernetes/git-sync
+    https://github.com/kubernetes/git-sync/blob/master/docs/ssh.md
+    https://github.com/kubernetes/git-sync/blob/master/docs/kubernetes.md
+    https://www.heise.de/tipps-tricks/SSH-Key-erstellen-so-geht-s-4400280.html
+
+Challenges:
+
+    Create SSH Key
+    Create local git repo
+    Create a secret with SSH Key
+    Create a pod with git sync initContainer from local repo
+
+Create SSH Key
+
+ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_cnbc-rsa
+# without password...
+
+Example to use Git Sync
+
+# make a directory (owned by you) for the volume
+export DIR="/tmp/git-data"
+mkdir -p $DIR
+
+# run the container (as your own UID)
+
+# run the container
+docker container run -d \
+    -v $DIR:/tmp/git \
+    -u$(id -u):$(id -g) \
+    k8s.gcr.io/git-sync/git-sync:v4.0.0 \
+        --repo=https://github.com/kubernetes/git-sync \
+        --root=/tmp/git/root \
+        --period=30s
+
+# run an nginx container to serve the content
+docker container run -d \
+    -p 8080:80 \
+    -v $DIR:/usr/share/nginx/html \
+    nginx
+