64
bewerkingen
k (Minnozz heeft pagina HSNWiki:Kubernetes hernoemd naar Projects:Kubernetes over een doorverwijzing) |
|||
(11 tussenliggende versies door 3 gebruikers niet weergegeven) | |||
Regel 1.056: | Regel 1.056: | ||
Now, let's make our own Docker image, push it, and start it in a Pod! | Now, let's make our own Docker image, push it, and start it in a Pod! | ||
Here's an example Dockerfile that runs a tiny Perl-based webserver that always responds with its own hostname: | |||
<pre> | |||
$ cat Dockerfile | |||
FROM ubuntu:bionic | |||
RUN apt-get update \ | |||
&& apt-get install -y libmojolicious-perl \ | |||
&& rm -rf /var/lib/apt/lists/* | |||
# Normally, you'd use COPY here, but I wanted to keep this in one file | |||
RUN echo "#!/usr/bin/env perl" >>/app.pl \ | |||
&& echo "use Mojolicious::Lite;" >>/app.pl \ | |||
&& echo "get '/' => sub {" >>/app.pl \ | |||
&& echo " shift->render(text => 'Hello World!'); " >>/app.pl \ | |||
&& echo "};" >>/app.pl \ | |||
&& echo "app->start;" >>/app.pl \ | |||
&& chmod +x /app.pl | |||
EXPOSE 3000 | |||
CMD ["/app.pl", "daemon", "-l"] | |||
$ docker build -t kuberegistry.sjorsgielen.nl/helloworld:latest . | |||
$ docker push kuberegistry.sjorsgielen.nl/helloworld:latest | |||
</pre> | |||
At this point, you should be able to write a Deployment, Service and Ingress for this application, using the examples above. <code>kubectl apply</code> should then start the Pod, Traefik should route the service and whatever host/path you configured should quickly be reachable and respond with "Hello World". We've created our own image and ran it on your cluster! | |||
= To do = | = To do = | ||
Regel 1.062: | Regel 1.089: | ||
* Kubernetes Dashboard | * Kubernetes Dashboard | ||
* Attempt Kubernetes upgrade from 1.13 to 1.14 | * Attempt Kubernetes upgrade from 1.13 to 1.14 | ||
** https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade-1-14/ | |||
** First, do a normal apt upgrade (the kubernetes packages are held and will not be modified) | |||
** Then, unhold the kubeadm package on the master, upgrade it to the right version, then re-hold it | |||
*** This only worked for me after unholding the kubelet and upgrading it as well. | |||
** On the master, "kubeadm upgrade plan", then "kubeadm upgrade apply v1.14.x" | |||
** Upgrade CNI controller by re-running the same <code>kubectl apply</code> as earlier | |||
** Unhold the kubelet and kubectl packages on the master, upgrade them and re-hold them, then restart the kubelet | |||
** For each worker, unhold the kubeadm package, upgrade it, rehold it; cordon (drain) the node; upgrade the node config; install the new kubelet version and restart it; uncordon the node. | |||
*** Here too, this only worked for me after unholding the kubelet and upgrading it as well. | |||
* Try getting information on a pod from inside it using the Kubernetes API | * Try getting information on a pod from inside it using the Kubernetes API | ||
** https://kubernetes.io/docs/tasks/administer-cluster/access-cluster-api/#accessing-the-api-from-a-pod | |||
** <code>wget --ca-certificate=/run/secrets/kubernetes.io/serviceaccount/ca.crt -qO- https://kubernetes.default.svc.cluster.local/api/</code> | |||
** Doesn't need using the Kubernetes API, can be done using env vars: https://kubernetes.io/docs/tasks/inject-data-application/environment-variable-expose-pod-information/ | |||
* Play with native cronjobs | * Play with native cronjobs | ||
* Play with Statefulset / Daemonset | * Play with Statefulset / Daemonset | ||
Regel 1.070: | Regel 1.109: | ||
** Allow K8s API communication from a pod, but only to receive information about itself | ** Allow K8s API communication from a pod, but only to receive information about itself | ||
** Basically: Make it impossible to root a node even with "broad" privileges on the Kubernetes API server | ** Basically: Make it impossible to root a node even with "broad" privileges on the Kubernetes API server | ||
** https://kubernetes.io/docs/concepts/policy/pod-security-policy/ | |||
* Limiting pods in memory, CPU, I/O | * Limiting pods in memory, CPU, I/O | ||
* Limiting pods in network communication | * Limiting pods in network communication | ||
[[Categorie:Projects]] |