From 47a50a0f7c625786092fd8f2b07fb50ab39b2dcf Mon Sep 17 00:00:00 2001 From: Alexander van Vugt Date: Wed, 4 Dec 2019 12:10:43 +0100 Subject: [PATCH] initial upload --- README.md | 1 + busybox-svc.yaml | 11 ++++++ busybox.yaml | 14 ++++++++ counter.sh | 11 ++++++ crd-backup.yaml | 8 +++++ crd-crontab-beta1.yaml | 31 +++++++++++++++++ crd-crontab.yaml | 33 ++++++++++++++++++ crd-object.yaml | 14 ++++++++ daemonset-fluentd.yaml | 42 +++++++++++++++++++++++ dev-role.yaml | 10 ++++++ init-container.yaml | 15 +++++++++ init1.yaml | 13 ++++++++ init2.yaml | 10 ++++++ join-net.sh | 6 ++++ kube-setup.sh | 36 ++++++++++++++++++++ lab21.sh | 9 +++++ lab7-1.yaml | 18 ++++++++++ lab7-2.yaml | 20 +++++++++++ my-crontab.yaml | 7 ++++ networkpolicy-example.yaml | 34 +++++++++++++++++++ pod-with-node-affinity.yaml | 26 +++++++++++++++ pod-with-pod-affinity.yaml | 29 ++++++++++++++++ prod-role.yaml | 10 ++++++ redis-with-pod-affinity.yaml | 27 +++++++++++++++ rolebind.yaml | 13 ++++++++ rolebindprod.yaml | 13 ++++++++ security-context.yaml | 21 ++++++++++++ selector-pod.yaml | 11 ++++++ setup-docker.sh | 57 ++++++++++++++++++++++++++++++++ setup-kubetools.sh | 32 ++++++++++++++++++ taint-toleration.yaml | 15 +++++++++ webserver-with-pod-affinity.yaml | 36 ++++++++++++++++++++ 32 files changed, 633 insertions(+) create mode 100644 README.md create mode 100644 busybox-svc.yaml create mode 100644 busybox.yaml create mode 100755 counter.sh create mode 100644 crd-backup.yaml create mode 100644 crd-crontab-beta1.yaml create mode 100644 crd-crontab.yaml create mode 100644 crd-object.yaml create mode 100644 daemonset-fluentd.yaml create mode 100644 dev-role.yaml create mode 100644 init-container.yaml create mode 100644 init1.yaml create mode 100644 init2.yaml create mode 100755 join-net.sh create mode 100755 kube-setup.sh create mode 100755 lab21.sh create mode 100644 lab7-1.yaml create mode 100644 lab7-2.yaml create mode 100644 my-crontab.yaml create mode 100644 networkpolicy-example.yaml create mode 100644 pod-with-node-affinity.yaml create mode 100644 pod-with-pod-affinity.yaml create mode 100644 prod-role.yaml create mode 100644 redis-with-pod-affinity.yaml create mode 100644 rolebind.yaml create mode 100644 rolebindprod.yaml create mode 100755 security-context.yaml create mode 100644 selector-pod.yaml create mode 100755 setup-docker.sh create mode 100755 setup-kubetools.sh create mode 100644 taint-toleration.yaml create mode 100644 webserver-with-pod-affinity.yaml diff --git a/README.md b/README.md new file mode 100644 index 0000000..dbebd54 --- /dev/null +++ b/README.md @@ -0,0 +1 @@ +# files for my CKA online course diff --git a/busybox-svc.yaml b/busybox-svc.yaml new file mode 100644 index 0000000..f52ac71 --- /dev/null +++ b/busybox-svc.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Service +metadata: + name: busybox-service +spec: + selector: + app: busybox + ports: + - protocol: TCP + port: 80 + targetPort: 9376 diff --git a/busybox.yaml b/busybox.yaml new file mode 100644 index 0000000..bdbdcec --- /dev/null +++ b/busybox.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: busybox2 + namespace: default + labels: + app: busybox +spec: + containers: + - name: busy + image: busybox + command: + - sleep + - "3600" diff --git a/counter.sh b/counter.sh new file mode 100755 index 0000000..ead984c --- /dev/null +++ b/counter.sh @@ -0,0 +1,11 @@ +#!/bin/bash + +COUNTER=$1 +COUNTER=$(( COUNTER * 60 )) + +while true +do + echo $COUNTER seconds remaining + sleep 1 + COUNTER=$(( COUNTER - 1 )) +done diff --git a/crd-backup.yaml b/crd-backup.yaml new file mode 100644 index 0000000..c2bd67c --- /dev/null +++ b/crd-backup.yaml @@ -0,0 +1,8 @@ +apiVersion: "stable.linux.com/v1" +kind: BackUp +metadata: + name: mybackup +spec: + timeSpec: "* * * * */5" + image: linux-backup-image + replicas: 5 diff --git a/crd-crontab-beta1.yaml b/crd-crontab-beta1.yaml new file mode 100644 index 0000000..84e8088 --- /dev/null +++ b/crd-crontab-beta1.yaml @@ -0,0 +1,31 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: crontabs.stable.example.com +spec: + group: stable.example.com + versions: + - name: v1 + served: true + storage: true + scope: Namespaced + names: + plural: crontabs + singular: crontab + kind: CronTab + shortNames: + - ct + preserveUnknownFields: false + validation: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + cronSpec: + type: string + image: + type: string + replicas: + type: integer diff --git a/crd-crontab.yaml b/crd-crontab.yaml new file mode 100644 index 0000000..6649219 --- /dev/null +++ b/crd-crontab.yaml @@ -0,0 +1,33 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: crontabs.stable.example.com +spec: + group: stable.example.com + versions: + - name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + spec: + type: object + properties: + cronSpec: + type: string + image: + type: string + replicas: + type: integer + scope: Namespaced + names: + plural: crontabs + singular: crontab + kind: CronTab + shortNames: + - ct diff --git a/crd-object.yaml b/crd-object.yaml new file mode 100644 index 0000000..9d572ef --- /dev/null +++ b/crd-object.yaml @@ -0,0 +1,14 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: backups.stable.linux.com +spec: + group: stable.linux.com + version: v1 + scope: Namespaced + names: + plural: backups + singular: backup + shortNames: + - bks + kind: BackUp diff --git a/daemonset-fluentd.yaml b/daemonset-fluentd.yaml new file mode 100644 index 0000000..1bfa082 --- /dev/null +++ b/daemonset-fluentd.yaml @@ -0,0 +1,42 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: fluentd-elasticsearch + namespace: kube-system + labels: + k8s-app: fluentd-logging +spec: + selector: + matchLabels: + name: fluentd-elasticsearch + template: + metadata: + labels: + name: fluentd-elasticsearch + spec: + tolerations: + - key: node-role.kubernetes.io/master + effect: NoSchedule + containers: + - name: fluentd-elasticsearch + image: quay.io/fluentd_elasticsearch/fluentd:v2.5.2 + resources: + limits: + memory: 200Mi + requests: + cpu: 100m + memory: 200Mi + volumeMounts: + - name: varlog + mountPath: /var/log + - name: varlibdockercontainers + mountPath: /var/lib/docker/containers + readOnly: true + terminationGracePeriodSeconds: 30 + volumes: + - name: varlog + hostPath: + path: /var/log + - name: varlibdockercontainers + hostPath: + path: /var/lib/docker/containers diff --git a/dev-role.yaml b/dev-role.yaml new file mode 100644 index 0000000..743e087 --- /dev/null +++ b/dev-role.yaml @@ -0,0 +1,10 @@ +kind: Role +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + namespace: development + name: developer +rules: +- apiGroups: ["", "extensions", "apps"] + resources: ["deployments", "replicasets", "pods"] + verbs: ["list", "get", "watch", "create", "update", "patch", "delete"] + diff --git a/init-container.yaml b/init-container.yaml new file mode 100644 index 0000000..99579f7 --- /dev/null +++ b/init-container.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: init-demo + labels: + app: init-demo +spec: + containers: + - name: demo-container + image: busybox + command: ['sh', '-c', 'sleep 3600'] + initContainers: + - name: init-container + image: busybox + command: ['sh', '-c', 'sleep 30'] diff --git a/init1.yaml b/init1.yaml new file mode 100644 index 0000000..2dad4d1 --- /dev/null +++ b/init1.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + name: initpod +spec: + containers: + - name: after-init + image: busybox + command: ['sh', '-c', 'echo its running! && sleep 3600'] + initContainers: + - name: init-myservice + image: busybox + command: ['sh', '-c', 'until nslookup myservice; do echo waiting for myservice; sleep 2; done;'] diff --git a/init2.yaml b/init2.yaml new file mode 100644 index 0000000..054c76a --- /dev/null +++ b/init2.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: myservice +spec: + ports: + - protocol: TCP + port: 80 + targetPort: 9376 diff --git a/join-net.sh b/join-net.sh new file mode 100755 index 0000000..5853347 --- /dev/null +++ b/join-net.sh @@ -0,0 +1,6 @@ +#!/bin/bash +# run this on worker node only +# make sure this matches the mey in the output of the kubeadm init command + +kubeadm join 192.168.4.110:8080 --token d0xzor.dns5rialmgzp5asv \ + --discovery-token-ca-cert-hash sha256:79e7203a963d1445d19707ea2c6f5c3c6f3c568bd97f825542575dea15a597ba diff --git a/kube-setup.sh b/kube-setup.sh new file mode 100755 index 0000000..6903d7e --- /dev/null +++ b/kube-setup.sh @@ -0,0 +1,36 @@ +#!/bin/bash +# +# verified on Fedora 29 Server + + +# add vbox repo +rm -f /etc/yum.repos.d/vbox.repo + +cat << REPO >> /etc/yum.repos.d/vbox.repo +[virtualbox] +name=Fedora $releasever - $basearch - VirtualBox +baseurl=http://download.virtualbox.org/virtualbox/rpm/fedora/\$releasever/\$basearch +enabled=1 +gpgcheck=0 +repo_gpgcheck=0 +gpgkey=https://www.virtualbox.org/download/oracle_vbox.asc +REPO + +dnf clean all +dnf upgrade + +# install vbox +echo installing virtualbox +dnf install make perl kernel-devel gcc elfutils-libelf-devel -y +dnf install VirtualBox-5.2 -y +echo installing kubectl +dnf install kubernetes-client -y +echo downloading minikube, check version +curl -Lo minikube https://storage.googleapis.com/minikube/releases/latest/minikube-linux-amd64 + +chmod +x minikube +cp minikube /usr/local/bin + +echo at this point, reboot your Fedora Server. After reboot, manually run: +echo vboxconfig +echo minikube start diff --git a/lab21.sh b/lab21.sh new file mode 100755 index 0000000..776fd8c --- /dev/null +++ b/lab21.sh @@ -0,0 +1,9 @@ +#!/bin/bash + +# RHCSA Labs lesson 21 script +# SvV +# version 0.1 + +grep -i enforcing /etc/sysconfig/selinux >/dev/null 2>&1 || echo no enforcing set in /etc/sysconfig/selinux +getenforce | grep -i enforcing >/dev/null 2>&1 || echo currently not in enforcing mode +history | tail -20 | grep restorecon >/dev/null 2>&1 || echo you have not run the restorecon command recently diff --git a/lab7-1.yaml b/lab7-1.yaml new file mode 100644 index 0000000..40c0bdb --- /dev/null +++ b/lab7-1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: init-pod + labels: + app: initapp +spec: + containers: + - name: main-container + image: busybox + command: ['sh', '-c', 'echo main app running && sleep 3600'] + initContainers: + - name: init-myservie + image: busybox + command: ['sh', '-c', 'until nslookup myservice; do echo waiting for myservice; sleep 2; done'] + - name: init-db + image: busybox + command: ['sh', '-c', 'until nslookup mydb; do echo waiting for mydb; sleep 2; done'] diff --git a/lab7-2.yaml b/lab7-2.yaml new file mode 100644 index 0000000..8164ae5 --- /dev/null +++ b/lab7-2.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: myservice +spec: + ports: + - protocol: TCP + port: 80 + targetPort: 9376 +--- +apiVersion: v1 +kind: Service +metadata: + name: mydb +spec: + ports: + - protocol: TCP + port: 80 + targetPort: 9377 diff --git a/my-crontab.yaml b/my-crontab.yaml new file mode 100644 index 0000000..d14b15f --- /dev/null +++ b/my-crontab.yaml @@ -0,0 +1,7 @@ +apiVersion: "stable.example.com/v1" +kind: CronTab +metadata: + name: my-new-cronjob +spec: + cronSpec: "* * * * */5" + image: my-cron-image diff --git a/networkpolicy-example.yaml b/networkpolicy-example.yaml new file mode 100644 index 0000000..ee00d1c --- /dev/null +++ b/networkpolicy-example.yaml @@ -0,0 +1,34 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: test-network-policy + namespace: default +spec: + podSelector: + matchLabels: + role: db + policyTypes: + - Ingress + - Egress + ingress: + - from: + - ipBlock: + cidr: 172.17.0.0/16 + except: + - 172.17.1.0/24 + - namespaceSelector: + matchLabels: + project: myproject + - podSelector: + matchLabels: + role: frontend + ports: + - protocol: TCP + port: 6379 + egress: + - to: + - ipBlock: + cidr: 10.0.0.0/24 + ports: + - protocol: TCP + port: 5978 diff --git a/pod-with-node-affinity.yaml b/pod-with-node-affinity.yaml new file mode 100644 index 0000000..0d0e2fd --- /dev/null +++ b/pod-with-node-affinity.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: with-node-affinity +spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/e2e-az-name + operator: In + values: + - e2e-az1 + - e2e-az2 + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + preference: + matchExpressions: + - key: another-node-label-key + operator: In + values: + - another-node-label-value + containers: + - name: with-node-affinity + image: k8s.gcr.io/pause:2.0 diff --git a/pod-with-pod-affinity.yaml b/pod-with-pod-affinity.yaml new file mode 100644 index 0000000..35e645e --- /dev/null +++ b/pod-with-pod-affinity.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: with-pod-affinity +spec: + affinity: + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: security + operator: In + values: + - S1 + topologyKey: failure-domain.beta.kubernetes.io/zone + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: security + operator: In + values: + - S2 + topologyKey: failure-domain.beta.kubernetes.io/zone + containers: + - name: with-pod-affinity + image: k8s.gcr.io/pause:2.0 diff --git a/prod-role.yaml b/prod-role.yaml new file mode 100644 index 0000000..28106ad --- /dev/null +++ b/prod-role.yaml @@ -0,0 +1,10 @@ +kind: Role +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + namespace: production + name: dev-prod +rules: +- apiGroups: ["", "extensions", "apps"] + resources: ["deployments", "replicasets", "pods"] + verbs: ["list", "get", "watch"] + diff --git a/redis-with-pod-affinity.yaml b/redis-with-pod-affinity.yaml new file mode 100644 index 0000000..fc83c32 --- /dev/null +++ b/redis-with-pod-affinity.yaml @@ -0,0 +1,27 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: redis-cache +spec: + selector: + matchLabels: + app: store + replicas: 3 + template: + metadata: + labels: + app: store + spec: + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - store + topologyKey: "kubernetes.io/hostname" + containers: + - name: redis-server + image: redis:3.2-alpine diff --git a/rolebind.yaml b/rolebind.yaml new file mode 100644 index 0000000..a4893e3 --- /dev/null +++ b/rolebind.yaml @@ -0,0 +1,13 @@ +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: developer-role-binding + namespace: development +subjects: +- kind: User + name: anna + apiGroup: "" +roleRef: + kind: Role + name: developer + apiGroup: "" diff --git a/rolebindprod.yaml b/rolebindprod.yaml new file mode 100644 index 0000000..1f2878e --- /dev/null +++ b/rolebindprod.yaml @@ -0,0 +1,13 @@ +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: production-role-binding + namespace: production +subjects: +- kind: User + name: anna + apiGroup: "" +roleRef: + kind: Role + name: dev-prod + apiGroup: "" diff --git a/security-context.yaml b/security-context.yaml new file mode 100755 index 0000000..a47834f --- /dev/null +++ b/security-context.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: security-context-demo +spec: + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 2000 + volumes: + - name: securevol + emptyDir: {} + containers: + - name: sec-demo + image: busybox + command: ["sh", "-c", "sleep 3600"] + volumeMounts: + - name: securevol + mountPath: /data/demo + securityContext: + allowPrivilegeEscalation: false diff --git a/selector-pod.yaml b/selector-pod.yaml new file mode 100644 index 0000000..08dac4b --- /dev/null +++ b/selector-pod.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx +spec: + containers: + - name: nginx + image: nginx + imagePullPolicy: IfNotPresent + nodeSelector: + disktype: ssd diff --git a/setup-docker.sh b/setup-docker.sh new file mode 100755 index 0000000..e9a7800 --- /dev/null +++ b/setup-docker.sh @@ -0,0 +1,57 @@ +#!/bin/bash +# script that runs +# https://kubernetes.io/docs/setup/production-environment/container-runtime + +yum install -y vim yum-utils device-mapper-persistent-data lvm2 +yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo + +# notice that only verified versions of Docker may be installed +# verify the documentation to check if a more recent version is available + +yum install -y docker-ce +[ ! -d /etc/docker ] && mkdir /etc/docker + +cat > /etc/docker/daemon.json <> /etc/hosts << EOF +{ + 192.168.4.111 control.example.com control + 192.168.4.112 worker1.example.com worker1 + 192.168.4.113 worker2.example.com worker2 +} +EOF + +mkdir -p /etc/systemd/system/docker.service.d + +systemctl daemon-reload +systemctl restart docker +systemctl enable docker + +if [[ $HOSTNAME = control.example.com ]] +then + firewall-cmd --add-port 6443/tcp --permanent + firewall-cmd --add-port 2379-2380/tcp --permanent + firewall-cmd --add-port 10250/tcp --permanent + firewall-cmd --add-port 10251/tcp --permanent + firewall-cmd --add-port 10252/tcp --permanent +fi + +if echo $HOSTNAME | grep worker +then + firewall-cmd --add-port 10250/tcp --permanent + firewall-cmd --add-port 30000-32767/tcp --permanent +fi + +systemctl restart firewalld diff --git a/setup-kubetools.sh b/setup-kubetools.sh new file mode 100755 index 0000000..3869386 --- /dev/null +++ b/setup-kubetools.sh @@ -0,0 +1,32 @@ +#!/bin/bash +# kubeadm installation instructions as on +# https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/install-kubeadm/ + +cat < /etc/yum.repos.d/kubernetes.repo +[kubernetes] +name=Kubernetes +baseurl=https://packages.cloud.google.com/yum/repos/kubernetes-el7-x86_64 +enabled=1 +gpgcheck=1 +repo_gpgcheck=1 +gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg +EOF + +# Set SELinux in permissive mode (effectively disabling it) +setenforce 0 +sed -i 's/^SELINUX=enforcing$/SELINUX=permissive/' /etc/selinux/config + +# disable swap (assuming that the name is /dev/centos/swap +sed -i 's/^\/dev\/mapper\/centos-swap/#\/dev\/mapper\/centos-swap/' /etc/fstab +swapoff /dev/mapper/centos-swap + +yum install -y kubelet kubeadm kubectl --disableexcludes=kubernetes + +systemctl enable --now kubelet + +# Set iptables bridging +cat < /etc/sysctl.d/k8s.conf +net.bridge.bridge-nf-call-ip6tables = 1 +net.bridge.bridge-nf-call-iptables = 1 +EOF +sysctl --system diff --git a/taint-toleration.yaml b/taint-toleration.yaml new file mode 100644 index 0000000..699ab1c --- /dev/null +++ b/taint-toleration.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-toleration + labels: + env: test +spec: + containers: + - name: nginx-toleration + image: nginx + imagePullPolicy: IfNotPresent + tolerations: + - key: "example-key" + operator: "Exists" + effect: "NoSchedule" diff --git a/webserver-with-pod-affinity.yaml b/webserver-with-pod-affinity.yaml new file mode 100644 index 0000000..93070ce --- /dev/null +++ b/webserver-with-pod-affinity.yaml @@ -0,0 +1,36 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: web-server +spec: + selector: + matchLabels: + app: web-store + replicas: 3 + template: + metadata: + labels: + app: web-store + spec: + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - web-store + topologyKey: "kubernetes.io/hostname" + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - store + topologyKey: "kubernetes.io/hostname" + containers: + - name: web-app + image: nginx:1.12-alpine