Notes
Notes - notes.io |
Step 1: Create a ConfigMap
To create a ConfigMap named fresco-config with the key SERVER_URL and value https://www.fresco.me, you can use the following YAML manifest:
yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: fresco-config
data:
SERVER_URL: https://www.fresco.me
Apply this manifest to your Kubernetes cluster:
bash
kubectl apply -f configmap.yaml
To verify if the ConfigMap is created, you can use the following command:
bash
kubectl get configmap fresco-config
Step 2: Create an nginx pod with an environmental variable
Now, create an nginx pod named fresco-nginx-pod with an environmental variable SERVER_URL_ENV using the ConfigMap you created earlier. Here's the YAML manifest for the pod:
yaml
apiVersion: v1
kind: Pod
metadata:
name: fresco-nginx-pod
spec:
containers:
- name: fresco-nginx-container
image: nginx
env:
- name: SERVER_URL_ENV
valueFrom:
configMapKeyRef:
name: fresco-config
key: SERVER_URL
Apply this manifest to your Kubernetes cluster:
bash
kubectl apply -f nginx-pod.yaml
You can test the configuration by running the following command inside the pod:
bash
kubectl exec -it fresco-nginx-pod -- sh -c "env | grep SERVER_URL_ENV"
It should display: SERVER_URL_ENV=https://www.fresco.me.
Secrets
Step 1: Create a Secret
Create a Secret named fresco-secret with the data user:admin and pass:pass. You can create it using the following YAML manifest:
yaml
apiVersion: v1
kind: Secret
metadata:
name: fresco-secret
data:
user: YWRtaW4=
pass: cGFzcz==
Apply this manifest to your Kubernetes cluster:
bash
kubectl apply -f secret.yaml
Step 2: Modify the nginx pod to use the Secret
Modify the nginx pod to use the fresco-secret and mount it at /etc/test. Here's the updated pod manifest:
yaml
apiVersion: v1
kind: Pod
metadata:
name: fresco-nginx-pod
spec:
containers:
- name: fresco-nginx-container
image: nginx
env:
- name: SERVER_URL_ENV
valueFrom:
configMapKeyRef:
name: fresco-config
key: SERVER_URL
volumeMounts:
- name: secret-volume
mountPath: /etc/test
volumes:
- name: secret-volume
secret:
secretName: fresco-secret
Apply this updated manifest to your Kubernetes cluster:
bash
kubectl apply -f nginx-pod-updated.yaml
You can check if the Secret is successfully configured by running the following command inside the pod:
bash
kubectl exec -it fresco-nginx-pod -- sh -c "cat /etc/test/* | base64 -d"
It should display both the username (admin) and password (pass).
Persistent Volume
Create a PV and PVC
Create a Persistent Volume (PV) named fresco-pv and a Persistent Volume Claim (PVC) named fresco-pvc. Use the following YAML manifests:
PV (pv.yaml):
yaml
apiVersion: v1
kind: PersistentVolume
metadata:
name: fresco-pv
spec:
storageClassName: manual
capacity:
storage: 100Mi
accessModes:
- ReadWriteOnce
hostPath:
path: /tmp/fresco
PVC (pvc.yaml):
yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: fresco-pvc
spec:
storageClassName: manual
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 50Mi
Apply these manifests to your Kubernetes cluster:
bash
kubectl apply -f pv.yaml
kubectl apply -f pvc.yaml
You can verify the successful creation and binding of the PVC by running:
bash
kubectl get pv fresco-pv
kubectl get pvc fresco-pvc
Modify the nginx pod to use the PVC
Modify the nginx pod (nginx-pod-updated.yaml) to request the fresco-pvc as a volume and use /usr/share/nginx/html as the mount path. Make sure to add the volumeMounts and volumes sections as follows:
yaml
apiVersion: v1
kind: Pod
metadata:
name: fresco-nginx-pod
spec:
containers:
- name: fresco-nginx-container
image: nginx
env:
- name: SERVER_URL_ENV
valueFrom:
configMapKeyRef:
name: fresco-config
key: SERVER_URL
volumeMounts:
- name: secret-volume
mountPath: /etc/test
- name: pvc-volume
mountPath: /usr/share/nginx/html
volumes:
- name: secret-volume
secret:
secretName: fresco-secret
- name: pvc-volume
persistentVolumeClaim:
claimName: fresco-pvc
Apply the updated pod manifest to your Kubernetes cluster:
bash
kubectl apply -f nginx-pod-updated.yaml
RBAC
Create a user, namespace, private key, and certificate
Create a namespace named dev:
bash
kubectl create namespace dev
Use openssl to create a private key named emp.key:
bash
openssl genrsa -out emp.key 2048
Create a certificate sign request (CSR) named emp.csr using the private key:
bash
openssl req -new -key emp.key -out emp.csr -subj "/CN=emp/O=dev"
Generate emp.crt by approving the CSR:
bash
# Assuming you have a Kubernetes cluster with a certificate signing controller
kubectl certificate approve emp.csr
kubectl get csr emp.csr -o jsonpath='{.status.certificate}' | base64 --decode > emp.crt
Create a context for the user
Create a new context named dev-ctx that points to the minikube cluster, uses the dev namespace, and sets the user to emp:
bash
kubectl config set-context dev-ctx --cluster=minikube --namespace=dev --user=emp
Set credentials for the user
Set the credentials for the emp user using the private key and certificate:
bash
kubectl config set-credentials emp --client-key=emp.key --client-certificate=emp.crt
Create an RBAC role, bind the user, and deploy an nginx pod
Create an RBAC role named emp-role that grants get and list access on pods and deployments in the dev namespace:
yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: dev
name: emp-role
rules:
- apiGroups: [""]
resources: ["pods", "deployments"]
verbs: ["get", "list"]
Apply this role to your cluster:
bash
kubectl apply -f role.yaml
Bind the emp user to the emp-role:
yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: emp-bind
namespace: dev
subjects:
- kind: User
name: emp
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: emp-role
apiGroup: rbac.authorization.k8s.io
Apply this role binding:
bash
kubectl apply -f role-binding.yaml
Finally, deploy an nginx pod under the dev-ctx and dev namespace:
bash
kubectl --context=dev-ctx apply -f nginx-pod.yaml
To ensure it's deployed, you can check the pods in the dev namespace:
bash
kubectl --context=dev-ctx get pods -n dev
If you try to access the default namespace with the dev context, it should result in a forbidden error, as only employees have access to the dev namespace.
Please note that RBAC and certificate signing may vary depending on your Kubernetes setup and version. Adjust the steps accordingly if needed.
|
Notes.io is a web-based application for taking notes. You can take your notes and share with others people. If you like taking long notes, notes.io is designed for you. To date, over 8,000,000,000 notes created and continuing...
With notes.io;
- * You can take a note from anywhere and any device with internet connection.
- * You can share the notes in social platforms (YouTube, Facebook, Twitter, instagram etc.).
- * You can quickly share your contents without website, blog and e-mail.
- * You don't need to create any Account to share a note. As you wish you can use quick, easy and best shortened notes with sms, websites, e-mail, or messaging services (WhatsApp, iMessage, Telegram, Signal).
- * Notes.io has fabulous infrastructure design for a short link and allows you to share the note as an easy and understandable link.
Fast: Notes.io is built for speed and performance. You can take a notes quickly and browse your archive.
Easy: Notes.io doesn’t require installation. Just write and share note!
Short: Notes.io’s url just 8 character. You’ll get shorten link of your note when you want to share. (Ex: notes.io/q )
Free: Notes.io works for 12 years and has been free since the day it was started.
You immediately create your first note and start sharing with the ones you wish. If you want to contact us, you can use the following communication channels;
Email: [email protected]
Twitter: http://twitter.com/notesio
Instagram: http://instagram.com/notes.io
Facebook: http://facebook.com/notesio
Regards;
Notes.io Team