Node
Cluster
Pods
Deployments
ReplicaSets
Replication Controller
Services
Namespaces
Labels and Selectors
ConfigMaps
Secrets
Volumes
StatefulSets
DaemonSets
Jobs and CronJobs
PodDisruptionBudget
Horizontal Pod Autoscaling (HPA)
Vertical Pod Autoscaling (VPA)
ResourceQuotas
Network Policies
Ingress
Service Mesh (e.g., Istio)
ClusterRoles
RoleBindings
Roles
PodSecurityPolicy
PodDisruptionBudget
CustomResourceDefinitions (CRDs)
Admission Controllers
Liveness Probes
Readiness Probes
StorageClass
PersistentVolumes (PV)
PersistentVolumeClaims (PVC)
Encryption (e.g., Encryption at Rest, Encryption in Transit)
Tolerations
Fail
Service Accounts
AWS EKS-specific Services:
Amazon Elastic Kubernetes Service (EKS)
Amazon EKS Cluster Autoscaler
AWS Fargate (for EKS)
AWS Identity and Access Management (IAM) for EKS
Azure AKS-specific Services:
Azure Kubernetes Service (AKS)
Azure Container Instances (ACI) integration
Azure Active Directory (AAD) integration
Azure Policy for AKS
Including Role Binding, Cluster Role, and Role ensures that we cover the essential Kubernete
=====================================================================
# Pod Manifest: Describes a single instance of a containerized application.
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: mycontainer
image: nginx
# Deployment Manifest: Specifies a desired state for deploying and managing replicated applications.
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
spec:
replicas: 2
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:latest
ports:
- containerPort: 80
strategy:
type: RollingUpdate
rollingUpdate:
#maxSurge: 1 we can use as integer type and with percentage as well
maxSurge: 50%
maxUnavailable: 0
# ReplicaSet Manifest: Ensures a specified number of pod replicas are running at any given time.
=============ReplicationController====================
apiVersion: v1
kind: ReplicationController
metadata:
name: frontend-1
spec:
replicas: 1
selector:
name: frontend
template:
metadata:
labels:
name: frontend
spec:
containers:
- image: openshift/hello-openshift
name: helloworld
ports:
- containerPort: 8080
protocol: TCP
restartPolicy: Always
===============ReplicaSet===========
apiVersion: apps/v1
kind: ReplicaSet
metadata:
name: frontend-1
labels:
tier: frontend
spec:
replicas: 3
selector:
matchLabels:
tier: frontend
matchExpressions:
- {key: tier, operator: In, values: [frontend]}
template:
metadata:
labels:
tier: frontend
spec:
containers:
- image: openshift/hello-openshift
name: helloworld
ports:
- containerPort: 8080
protocol: TCP
restartPolicy: Always
apiVersion: apps/v1
kind: ReplicaSet
metadata:
name: myreplicaset
spec:
replicas: 2
selector:
matchLabels:
app: myapp
template:
metadata:
labels:
app: myapp
spec:
containers:
- name: mycontainer
image: nginx
# Service Manifest: Defines a set of Pods and a policy for accessing them.
apiVersion: v1
kind: Service
metadata:
name: myservice
spec:
selector:
app: myapp
ports:
- protocol: TCP
port: 80
targetPort: 80
apiVersion: v1
kind: Service
metadata:
name: nginx-service
spec:
selector:
app: nginx
ports:
- protocol: TCP
port: 80
targetPort: 80
nodePort:31217
type: NodePort
apiVersion: v1
kind: Service
metadata:
name: external-db-service
spec:
type: ExternalName
externalName: my-database.example.com
ports:
- protocol: TCP
port: 3306
targetPort: 3306
apiVersion: v1
kind: Endpoints
metadata:
name: external-db-service
subsets:
- addresses:
- ip: 192.168.1.100 # Replace with the actual IP address of your external service
ports:
- port: 3306
apiVersion: v1
kind: Service
metadata:
name: headless-db-service
spec:
clusterIP: None
selector:
app: database
ports:
- protocol: TCP
port: 3306
targetPort: 3306
# Namespace Manifest: Creates a logical partition within the Kubernetes cluster.
apiVersion: v1
kind: Namespace
metadata:
name: mynamespace
# Label and Selector Manifest: Tags resources with identifying key-value pairs.
apiVersion: v1
kind: Pod
metadata:
name: mypod
labels:
app: myapp
spec:
containers:
- name: mycontainer
image: nginx
# ConfigMap Manifest: Stores configuration data as key-value pairs.
apiVersion: v1
kind: ConfigMap
metadata:
name: myconfigmap
data:
key1: value1
key2: value2
# Secret Manifest: Manages sensitive information like passwords, tokens, and keys.
apiVersion: v1
kind: Secret
metadata:
name: mysecret
data:
username: YWRtaW4=
password: MWYyZDFlMmU2N2Rm
# Volume Manifest: Provides persistent storage for containers.
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: mycontainer
image: nginx
volumeMounts:
- name: myvolume
mountPath: /data
volumes:
- name: myvolume
emptyDir: {}
# StatefulSet Manifest: Manages the deployment and scaling of stateful applications.
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: web-statefulset
spec:
serviceName: "web"
replicas: 3
selector:
matchLabels:
app: web
template:
metadata:
labels:
app: web
spec:
containers:
- name: web-container
image: nginx:latest
ports:
- containerPort: 80
volumeMounts:
- name: web-storage
mountPath: /usr/share/nginx/html
volumeClaimTemplates:
- metadata:
name: web-storage
spec:
accessModes: ["ReadWriteOnce"]
storageClassName: "standard"
resources:
requests:
storage: 1Gi
# DaemonSet Manifest: Ensures that all (or some) nodes run a copy of a pod.
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: mydaemonset
spec:
selector:
matchLabels:
app: myapp
template:
metadata:
labels:
app: myapp
spec:
containers:
- name: mycontainer
image: nginx
# Job Manifest: Manages batch or scheduled tasks in the cluster.
apiVersion: batch/v1
kind: Job
metadata:
name: myjob
spec:
template:
spec:
containers:
- name: mycontainer
image: nginx
restartPolicy: OnFailure
# CronJob Manifest: Defines a scheduled task to be run at a specified time or interval.
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: mycronjob
spec:
schedule: "*/1 * * * *"
jobTemplate:
spec:
template:
spec:
containers:
- name: mycontainer
image: nginx
restartPolicy: OnFailure
# HorizontalPodAutoscaler Manifest: Automatically scales the number of pods based on CPU utilization.
apiVersion: autoscaling/v2beta2
kind: HorizontalPodAutoscaler
metadata:
name: myhpa
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: mydeployment
minReplicas: 1
maxReplicas: 10
metrics:
- type: Resource
resource:
name: cpu
targetAverageUtilization: 50
# VerticalPodAutoscaler Manifest: Automatically adjusts CPU and memory requests for pods.
apiVersion: autoscaling.k8s.io/v1
kind: VerticalPodAutoscaler
metadata:
name: myvpa
spec:
targetRef:
apiVersion: "apps/v1"
kind: Deployment
name: mydeployment
updatePolicy:
updateMode: "Auto"
# ResourceQuota Manifest: Sets limits on the amount of compute resources that can be consumed.
apiVersion: v1
kind: ResourceQuota
metadata:
name: myresourcequota
spec:
hard:
pods: "10"
requests.cpu: "4"
requests.memory: 4Gi
limits.cpu: "8"
limits.memory: 8Gi
# NetworkPolicy Manifest: Defines rules for traffic allowed to and from pods.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: mynetworkpolicy
spec:
podSelector:
matchLabels:
app: myapp
ingress:
- from:
- podSelector:
matchLabels:
role: frontend
# Ingress Manifest: Manages external access to services within the cluster.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: myingress
spec:
rules:
- host: example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: myservice
port:
number: 80
# ServiceMesh (e.g., Istio) Manifest: Provides advanced networking features.
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: mydestinationrule
spec:
host: myservice
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
# ClusterRole Manifest: Defines sets of permissions for accessing Kubernetes API resources.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: myclusterrole
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch"]
# RoleBinding Manifest: Binds a role to a user or
# RoleBinding Manifest: Binds a role to a user or group within a namespace.
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: myrolebinding
namespace: default
roleRef:
kind: Role
name: myrole
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: User
name: myuser
apiGroup: rbac.authorization.k8s.io
# Role Manifest: Defines sets of permissions for accessing Kubernetes API resources within a namespace.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: myrole
namespace: default
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch"]
# PodSecurityPolicy Manifest: Defines a set of security policies for pods.
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: mypodsecuritypolicy
spec:
privileged: false
seLinux:
rule: RunAsAny
fsGroup:
rule: RunAsAny
runAsUser:
rule: MustRunAsNonRoot
volumes:
- "configMap"
- "emptyDir"
- "projected"
# CustomResourceDefinitions (CRDs) Manifest: Extends the Kubernetes API to support custom resource types.
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: mycrd.example.com
spec:
group: example.com
versions:
- name: v1
served: true
storage: true
scope: Namespaced
names:
plural: mycrds
singular: mycrd
kind: MyCRD
shortNames:
- mc
# Admission Controllers Manifest: Defines rules for validating and mutating Kubernetes resources.
apiVersion: v1
kind: MutatingWebhookConfiguration
metadata:
name: mymutatingwebhookconfig
webhooks:
- name: webhook.example.com
clientConfig:
url: https://webhook.example.com/mutate
rules:
- operations: ["CREATE"]
apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
# Liveness Probe Manifest: Checks if a container in a pod is alive and healthy.
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: mycontainer
image: nginx
livenessProbe:
httpGet:
path: /
port: 80
initialDelaySeconds: 15
periodSeconds: 30
# Readiness Probe Manifest: Checks if a container in a pod is ready to serve traffic.
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: mycontainer
image: nginx
readinessProbe:
httpGet:
path: /
port: 80
initialDelaySeconds: 10
periodSeconds: 5
# StorageClass Manifest: Defines storage classes for dynamic provisioning of persistent volumes.
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: mystorageclass
provisioner: kubernetes.io/aws-ebs
parameters:
type: gp2
zone: us-west-1a
# PersistentVolume Manifest: Represents a piece of storage in the cluster.
apiVersion: v1
kind: PersistentVolume
metadata:
name: mypv
spec:
capacity:
storage: 1Gi
accessModes:
- ReadWriteOnce
hostPath:
path: /data
# PersistentVolumeClaim Manifest: Claims a piece of storage resource defined by a PersistentVolume.
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: mypvc
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
# Encryption (e.g., Encryption at Rest, Encryption in Transit) Manifest: Configures encryption settings.
apiVersion: v1
kind: EncryptionConfig
metadata:
name: myencryptionconfig
spec:
resources:
- resources:
- secrets
providers:
- aescbc:
keys:
- name: key1
secret: c2VjcmV0MS1rZXk=
secret: c2VjcmV0LWtleQ==
===============RBAC Role & binding=========================
apiVersion: v1
kind: ConfigMap
metadata:
name: aws-auth-role-1
namespace: kube-system
data:
mapRoles: |
- rolearn: <eks-role-1-arn>
username: role-1
groups:
- system:masters
- rolearn: <eks-role-2-arn>
username: role-2
groups:
- system:masters
---
# IAM Roles
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: eks-role-1
namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: eks-role-2
namespace: kube-system
# ConfigMaps for role mapping
---
apiVersion: v1
kind: ConfigMap
metadata:
name: aws-auth-role-1
namespace: kube-system
data:
mapRoles: |
- rolearn: <eks-role-1-arn>
username: eks-role-1
groups:
- system:masters
---
apiVersion: v1
kind: ConfigMap
metadata:
name: aws-auth-role-2
namespace: kube-system
data:
mapRoles: |
- rolearn: <eks-role-2-arn>
username: eks-role-2
groups:
- system:masters
# RBAC Setup
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: pod-viewer
rules:
- apiGroups: [""]
resources: ["pods", "deployments"]
verbs: ["get", "list"]
resourceNames: [""] # empty means all resources
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: eks-role-1-binding
subjects:
- kind: ServiceAccount
name: eks-role-1
namespace: kube-system
roleRef:
kind: ClusterRole
name: pod-viewer
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: eks-role-2-binding
subjects:
- kind: ServiceAccount
name: eks-role-2
namespace: kube-system
roleRef:
kind: ClusterRole
name: pod-viewer
apiGroup: rbac.authorization.k8s.io
==========================Storage call pv and pvc===========================
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: ebs-sc
provisioner: ebs.csi.aws.com
volumeBindingMode: WaitForFirstConsumer
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: ebs-pvc
spec:
accessModes:
- ReadWriteOnce
storageClassName: ebs-sc
resources:
requests:
storage: 10Gi
---
apiVersion: v1
kind: Pod
metadata:
name: ebs-pod
spec:
containers:
- name: ebs-container
image: nginx
volumeMounts:
- mountPath: "/data"
name: ebs-volume
volumes:
- name: ebs-volume
persistentVolumeClaim:
claimName: ebs-pvc
0 Comments