202 lines
5.3 KiB
Plaintext
Executable File
202 lines
5.3 KiB
Plaintext
Executable File
Pod init container
|
|
|
|
https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
|
|
|
|
A Pod can have multiple containers running apps within it, but it can also have one or more init containers, which are run before the app containers are started.
|
|
|
|
Init containers are exactly like regular containers, except:
|
|
|
|
Init containers always run to completion.
|
|
Each init container must complete successfully before the next one starts.
|
|
|
|
If a Pod's init container fails, the kubelet repeatedly restarts that init container until it succeeds. However, if the Pod has a restartPolicy of Never, and an init container fails during startup of that Pod, Kubernetes treats the overall Pod as failed.
|
|
|
|
kubectl delete service whoami
|
|
cat >myapp-pod.yaml <<EOF
|
|
apiVersion: v1
|
|
kind: Pod
|
|
metadata:
|
|
name: myapp-pod
|
|
labels:
|
|
app: myapp
|
|
spec:
|
|
containers:
|
|
- name: myapp-container
|
|
image: busybox:1.28
|
|
command: ['sh', '-c', 'echo The app is running! && sleep 30']
|
|
initContainers:
|
|
- name: init-whoami
|
|
image: busybox:1.28
|
|
command: ['sh', '-c', "until nslookup whoami.\$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace).svc.cluster.local; do echo waiting for whoami; sleep 2; done"]
|
|
EOF
|
|
kubectl apply -f myapp-pod.yaml
|
|
kubectl describe pod myapp-pod
|
|
# initContainer not ready
|
|
kubectl apply -f service.yaml
|
|
kubectl describe pod myapp-pod
|
|
|
|
https://github.com/groundnuty/k8s-wait-for
|
|
|
|
cat >myapp-pod-exists.yaml <<EOF
|
|
apiVersion: v1
|
|
kind: Pod
|
|
metadata:
|
|
name: myapp-pod-exists
|
|
labels:
|
|
app: myapp
|
|
spec:
|
|
containers:
|
|
- name: myapp-container
|
|
image: busybox:1.28
|
|
command: ['sh', '-c', 'echo The app is running! && sleep 30']
|
|
initContainers:
|
|
- name: init-whoami
|
|
image: busybox:1.28
|
|
command: ['sh', '-c', "until nslookup whoami.\$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace).svc.cluster.local; do echo waiting for whoami; sleep 2; done"]
|
|
- name: wait-for-whoami-pods
|
|
image: ghcr.io/groundnuty/k8s-wait-for:v1.7
|
|
imagePullPolicy: IfNotPresent
|
|
args:
|
|
- "pod-wr"
|
|
- "-lapp=whoami"
|
|
EOF
|
|
|
|
kubectl scale deployment whoami --replicas=0
|
|
kubectl apply -f myapp-pod-exists.yaml
|
|
|
|
kubectl create role pod-reader \
|
|
--verb=get --verb=list --verb=watch \
|
|
--resource=pods,services,deployments
|
|
|
|
kubectl get role pod-reader -o yaml
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
creationTimestamp: "2022-10-27T13:11:32Z"
|
|
name: pod-reader
|
|
namespace: whoami-1
|
|
resourceVersion: "48787"
|
|
uid: 2aadcee7-66bc-4ebe-8acc-5f76e2065480
|
|
rules:
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- pods
|
|
- services
|
|
verbs:
|
|
- get
|
|
- listhttps://artifacthub.io/
|
|
- watch
|
|
- apiGroups:
|
|
- apps
|
|
resources:
|
|
- deployments
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
|
|
|
|
kubectl create rolebinding default-pod-reader \
|
|
--role=pod-reader \
|
|
--serviceaccount=whoami-1:default \
|
|
--namespace=whoami-1
|
|
|
|
kubectl get rolebindings.rbac.authorization.k8s.io default-pod-reader -o yaml
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
creationTimestamp: "2022-10-27T13:15:02Z"
|
|
name: default-pod-reader
|
|
namespace: whoami-1
|
|
resourceVersion: "48886"https://artifacthub.io/
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: Role
|
|
name: pod-reader
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: default
|
|
namespace: whoami-1
|
|
|
|
kubectl auth can-i list deployments.apps \
|
|
--as system:serviceaccount:whoami-1:default
|
|
yes
|
|
kubectl auth can-i create deployments.apps \
|
|
--as system:serviceaccount:whoami-1:default
|
|
no
|
|
|
|
kubectl scale deployment whoami --replicas=1
|
|
kubectl logs myapp-pod-exists -c wait-for-whoami-pods
|
|
[2022-10-27 13:34:14] Waiting for pod -lapp=whoami...
|
|
[2022-10-27 13:34:16] pod -lapp=whoami is ready.
|
|
kubectl get pods
|
|
NAME READY STATUS RESTARTS AGE
|
|
...
|
|
myapp-pod-exists 0/1 Completed 1 (36s ago) 31m
|
|
|
|
Postgres initContainer
|
|
|
|
apiVersion: apps/v1beta1
|
|
kind: Deployment
|
|
metadata:
|
|
name: webapp
|
|
spec:
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: webapp
|
|
spec:
|
|
volumes:
|
|
- name: config-volume
|
|
configMap:
|
|
name: app-config
|
|
initContainers:
|
|
- name: check-db-ready
|
|
image: postgres:15
|
|
command: ['sh', '-c',
|
|
'until pg_isready -h postgres -p 5432;
|
|
do echo waiting for database; sleep 2; done;']
|
|
|
|
Git Sync
|
|
|
|
https://github.com/kubernetes/git-sync
|
|
https://github.com/kubernetes/git-sync/blob/master/docs/ssh.md
|
|
https://github.com/kubernetes/git-sync/blob/master/docs/kubernetes.md
|
|
https://www.heise.de/tipps-tricks/SSH-Key-erstellen-so-geht-s-4400280.html
|
|
|
|
Challenges:
|
|
|
|
Create SSH Key
|
|
Create local git repo
|
|
Create a secret with SSH Key
|
|
Create a pod with git sync initContainer from local repo
|
|
|
|
Create SSH Key
|
|
|
|
ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_cnbc-rsa
|
|
# without password...
|
|
|
|
Example to use Git Sync
|
|
|
|
# make a directory (owned by you) for the volume
|
|
export DIR="/tmp/git-data"
|
|
mkdir -p $DIR
|
|
|
|
# run the container (as your own UID)
|
|
|
|
# run the container
|
|
docker container run -d \
|
|
-v $DIR:/tmp/git \
|
|
-u$(id -u):$(id -g) \
|
|
k8s.gcr.io/git-sync/git-sync:v4.0.0 \
|
|
--repo=https://github.com/kubernetes/git-sync \
|
|
--root=/tmp/git/root \
|
|
--period=30s
|
|
|
|
# run an nginx container to serve the content
|
|
docker container run -d \
|
|
-p 8080:80 \
|
|
-v $DIR:/usr/share/nginx/html \
|
|
nginx
|
|
|